aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-12-18 14:25:53 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2018-12-19 10:01:00 +0100
commitdfb5046cf33b0cdb7d2b780d8d32e72b98a5914c (patch)
treee75449ece454fb9ff1df04076de80617c8ecdf2a
parent645c5e8c91ff22c9b22003fae1bc84baedab2179 (diff)
downloadffmpeg-dfb5046cf33b0cdb7d2b780d8d32e72b98a5914c.tar.gz
avcodec/mjpegdec: verify SOF len field validity
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/mjpegdec.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 4cab6608b1..d2dadb9bf1 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -313,7 +313,6 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
memset(s->upscale_h, 0, sizeof(s->upscale_h));
memset(s->upscale_v, 0, sizeof(s->upscale_v));
- /* XXX: verify len field validity */
len = get_bits(&s->gb, 16);
bits = get_bits(&s->gb, 8);
@@ -367,6 +366,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
"bits/component or 16-bit gray");
return AVERROR_PATCHWELCOME;
}
+ if (len != 8 + 3 * nb_components) {
+ av_log(s->avctx, AV_LOG_ERROR, "decode_sof0: error, len(%d) mismatch %d components\n", len, nb_components);
+ return AVERROR_INVALIDDATA;
+ }
+
s->nb_components = nb_components;
s->h_max = 1;
s->v_max = 1;
@@ -712,8 +716,6 @@ unk_pixfmt:
s->width, s->height, s->linesize[0], s->linesize[1],
s->interlaced, s->avctx->height);
- if (len != (8 + (3 * nb_components)))
- av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len);
}
if ((s->rgb && !s->lossless && !s->ls) ||