diff options
author | Alex Converse <alex.converse@gmail.com> | 2012-01-25 13:39:24 -0800 |
---|---|---|
committer | Alex Converse <alex.converse@gmail.com> | 2012-01-26 15:47:36 -0800 |
commit | b57d262412204e54a7ef8fa1b23ff4dcede622e5 (patch) | |
tree | bb34bec688b74bd08ae62cfa15f4cd89c00f5f5a /libavcodec/mjpegbdec.c | |
parent | 299ab0fd17a1738e21f3d036128db23ec14b2f3a (diff) | |
download | ffmpeg-b57d262412204e54a7ef8fa1b23ff4dcede622e5.tar.gz |
mjpegbdec: Fix overflow in SOS.
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>
Fixes CVE-2011-3947
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Diffstat (limited to 'libavcodec/mjpegbdec.c')
-rw-r--r-- | libavcodec/mjpegbdec.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 4ad17ab3ce..c89a5bd404 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -59,6 +59,9 @@ read_header: s->restart_count = 0; s->mjpb_skiptosod = 0; + if (buf_end - buf_ptr >= 1 << 28) + return AVERROR_INVALIDDATA; + init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8); skip_bits(&hgb, 32); /* reserved zeros */ @@ -111,8 +114,8 @@ read_header: av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs); if (sos_offs) { -// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8); - init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8); + init_get_bits(&s->gb, buf_ptr + sos_offs, + 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; if (ff_mjpeg_decode_sos(s, NULL, NULL) < 0 && |