avcodec/mjpegdec: fix overread in find_marker()

Found-by: Laurent Butti <laurentb@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-08-23 04:14:08 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-08-23 04:44:55 +0200
commit: 16a0d75c769a7df6f457b2200dbc9a7cc73798c6 (patch)
tree: 4e2b1abb03cae58961847263f39ff1375f509029 /libavcodec/mjpegdec.c
parent: 2baa12f1d1940e6c480ea58b30b13f6dab1a11cf (diff)
download: ffmpeg-16a0d75c769a7df6f457b2200dbc9a7cc73798c6.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 6e16152724..f71acc20b2 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1610,7 +1610,7 @@ static int find_marker(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
     int skipped = 0;
 
     buf_ptr = *pbuf_ptr;
-    while (buf_ptr < buf_end) {
+    while (buf_end - buf_ptr > 1) {
         v  = *buf_ptr++;
         v2 = *buf_ptr;
         if ((v == 0xff) && (v2 >= 0xc0) && (v2 <= 0xfe) && buf_ptr < buf_end) {
@@ -1619,6 +1619,7 @@ static int find_marker(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
         }
         skipped++;
     }
+    buf_ptr = buf_end;
     val = -1;
 found:
     av_dlog(NULL, "find_marker skipped %d bytes\n", skipped);
author	Michael Niedermayer <michaelni@gmx.at>	2013-08-23 04:14:08 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-08-23 04:44:55 +0200
commit	16a0d75c769a7df6f457b2200dbc9a7cc73798c6 (patch)
tree	4e2b1abb03cae58961847263f39ff1375f509029 /libavcodec/mjpegdec.c
parent	2baa12f1d1940e6c480ea58b30b13f6dab1a11cf (diff)
download	ffmpeg-16a0d75c769a7df6f457b2200dbc9a7cc73798c6.tar.gz