jv demuxer: prevent video packet size overflow

In the event of overflow, the JV_PADDING state will avio_skip over any overflow bytes (using JVFrame.total_size). Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
author: Peter Ross <pross@xvid.org> 2011-03-13 16:15:38 +1100
committer: Ronald S. Bultje <rsbultje@gmail.com> 2011-03-14 08:06:19 -0400
commit: 7f05c164d8ccbfded9bcefdb41942bc28d85c87a (patch)
tree: 76976fda46428183db950ee1bbe368e3454f4fd3
parent: 772cb06281d9b82f283fc6c2ca7fb55a562d0ad9 (diff)
download: ffmpeg-7f05c164d8ccbfded9bcefdb41942bc28d85c87a.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 314a341ac6..9235e51a99 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -116,6 +116,8 @@ static int read_header(AVFormatContext *s,
         jvf->audio_size = avio_rl32(pb);
         jvf->video_size = avio_rl32(pb);
         jvf->palette_size = avio_r8(pb) ? 768 : 0;
+        jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0),
+                                INT_MAX - JV_PREAMBLE_SIZE - jvf->palette_size);
         if (avio_r8(pb))
              av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
         jvf->video_type = avio_r8(pb);
author	Peter Ross <pross@xvid.org>	2011-03-13 16:15:38 +1100
committer	Ronald S. Bultje <rsbultje@gmail.com>	2011-03-14 08:06:19 -0400
commit	7f05c164d8ccbfded9bcefdb41942bc28d85c87a (patch)
tree	76976fda46428183db950ee1bbe368e3454f4fd3
parent	772cb06281d9b82f283fc6c2ca7fb55a562d0ad9 (diff)
download	ffmpeg-7f05c164d8ccbfded9bcefdb41942bc28d85c87a.tar.gz