diff options
author | Zdenek Kabelac <kabi@informatics.muni.cz> | 2003-02-10 10:45:41 +0000 |
---|---|---|
committer | Zdenek Kabelac <kabi@informatics.muni.cz> | 2003-02-10 10:45:41 +0000 |
commit | dce778e0ea295db541e43b0850d3a7ef873996cc (patch) | |
tree | 9e3d35602b79dc7b615d16a94990563bcfb13d02 /libavcodec/mjpeg.c | |
parent | b29f97d1363dee7fe0019bfb9de4fdc35f11890a (diff) | |
download | ffmpeg-dce778e0ea295db541e43b0850d3a7ef873996cc.tar.gz |
* check for potentialy problematic field len
Originally committed as revision 1572 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/mjpeg.c')
-rw-r--r-- | libavcodec/mjpeg.c | 46 |
1 files changed, 24 insertions, 22 deletions
diff --git a/libavcodec/mjpeg.c b/libavcodec/mjpeg.c index ab26ec7aa3..6595df25eb 100644 --- a/libavcodec/mjpeg.c +++ b/libavcodec/mjpeg.c @@ -1262,31 +1262,33 @@ out: static int mjpeg_decode_com(MJpegDecodeContext *s) { - int i; - UINT8 *cbuf; - /* XXX: verify len field validity */ - unsigned int len = get_bits(&s->gb, 16)-2; - cbuf = av_malloc(len+1); - - for (i = 0; i < len; i++) - cbuf[i] = get_bits(&s->gb, 8); - if (cbuf[i-1] == '\n') - cbuf[i-1] = 0; - else - cbuf[i] = 0; - - printf("mjpeg comment: '%s'\n", cbuf); + unsigned int len = get_bits(&s->gb, 16); + if (len >= 2 && len < 32768) { + /* XXX: any better upper bound */ + UINT8 *cbuf = av_malloc(len - 1); + if (cbuf) { + int i; + for (i = 0; i < len - 2; i++) + cbuf[i] = get_bits(&s->gb, 8); + if (i > 0 && cbuf[i-1] == '\n') + cbuf[i-1] = 0; + else + cbuf[i] = 0; + + printf("mjpeg comment: '%s'\n", cbuf); + + /* buggy avid, it puts EOI only at every 10th frame */ + if (!strcmp(cbuf, "AVID")) + { + s->buggy_avid = 1; + // if (s->first_picture) + // printf("mjpeg: workarounding buggy AVID\n"); + } - /* buggy avid, it puts EOI only at every 10th frame */ - if (!strcmp(cbuf, "AVID")) - { - s->buggy_avid = 1; -// if (s->first_picture) -// printf("mjpeg: workarounding buggy AVID\n"); + av_free(cbuf); + } } - - av_free(cbuf); return 0; } |