diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-02-25 04:00:43 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-02-25 04:00:43 +0100 |
| commit | b008ac18bb6072acb355445436a999c940538d84 (patch) | |
| tree | 29d0042d7a4d0bc64f452440c2060a13a1e00e51 /libavcodec/mjpegdec.c | |
| parent | 7b9d8703f35585b065c32194b52131b7dd90c710 (diff) | |
| parent | d6a77e2b97f3968b99798faeb70e873eb5910849 (diff) | |
| download | ffmpeg-b008ac18bb6072acb355445436a999c940538d84.tar.gz | |
Merge remote-tracking branch 'qatar/master'
* qatar/master:
docs: use -bsf:[vas] instead of -[vas]bsf.
mpegaudiodec: Prevent premature clipping of mp3 input buffer.
lavf: move the packet keyframe setting code.
oggenc: free comment header for all codecs
lcl: error out if uncompressed input buffer is smaller than framesize.
mjpeg: abort decoding if packet is too large.
golomb: use HAVE_BITS_REMAINING() macro to prevent infloop on EOF.
get_bits: add HAVE_BITS_REMAINING macro.
lavf/output-example: use new audio encoding API correctly.
lavf/output-example: more proper usage of the new API.
tiff: Prevent overreads in the type_sizes array.
tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned.
apetag: do not leak memory if avio_read() fails
apetag: propagate errors.
SBR DSP x86: implement SSE sbr_hf_g_filt
SBR DSP x86: implement SSE sbr_sum_square_sse
SBR DSP: use intptr_t for the ixh parameter.
Conflicts:
doc/bitstream_filters.texi
doc/examples/muxing.c
doc/ffmpeg.texi
libavcodec/golomb.h
libavcodec/x86/Makefile
libavformat/oggenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/mjpegdec.c')
| -rw-r--r-- | libavcodec/mjpegdec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 954fce1e40..dac0d6711d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1570,6 +1570,10 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size, /* EOF */ if (start_code < 0) { goto the_end; + } else if (unescaped_buf_size > (1U<<29)) { + av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n", + start_code, unescaped_buf_ptr, buf_size); + return AVERROR_INVALIDDATA; } else { av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n", start_code, buf_end - buf_ptr); |