mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac

Prevent out of buffer write when decoding broken samples. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cfbd98abe82cfcb9984a18d08697251b72b110c8) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Luca Barbato <lu_zero@gentoo.org> 2013-05-15 18:41:41 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2013-06-22 08:48:37 +0200
commit: 7ca8d8223db270deb86d78b6361bec846feaaa9d (patch)
tree: 1946b27ad46c9cc159310a989e9d43ee10c377d1
parent: 33492ad81000b326ba98fe20d6007d4b67cbbd3d (diff)
download: ffmpeg-7ca8d8223db270deb86d78b6361bec846feaaa9d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 47c98994fd..5256a8e04c 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -963,6 +963,11 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
     int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]];
     GetBitContext mb_bitmask_gb;
 
+    if (ss < 0  || ss >= 64 ||
+        se < ss || se >= 64 ||
+        Ah < 0  || Al < 0)
+        return AVERROR_INVALIDDATA;
+
     if (mb_bitmask)
         init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width * s->mb_height);
author	Luca Barbato <lu_zero@gentoo.org>	2013-05-15 18:41:41 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2013-06-22 08:48:37 +0200
commit	7ca8d8223db270deb86d78b6361bec846feaaa9d (patch)
tree	1946b27ad46c9cc159310a989e9d43ee10c377d1
parent	33492ad81000b326ba98fe20d6007d4b67cbbd3d (diff)
download	ffmpeg-7ca8d8223db270deb86d78b6361bec846feaaa9d.tar.gz