aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/mjpegdec.c
diff options
context:
space:
mode:
authorCarl Eugen Hoyos <cehoyos@ag.or.at>2016-09-03 14:21:46 +0200
committerCarl Eugen Hoyos <cehoyos@ag.or.at>2016-09-03 14:21:46 +0200
commite82b181f8096d20a163b054b8117838437d6b694 (patch)
tree623cb6d1ba048ad5e68dd1ff59a6808f6d4dbde2 /libavcodec/mjpegdec.c
parentb4d7c1f84b0229b481ce16302ff1a5fe879ec940 (diff)
downloadffmpeg-e82b181f8096d20a163b054b8117838437d6b694.tar.gz
lavc/mjpegdec: Only read JFIF thumbnail size if the segment is long enough.
Fixes ticket #5805.
Diffstat (limited to 'libavcodec/mjpegdec.c')
-rw-r--r--libavcodec/mjpegdec.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 0645a1d2ac..84d929ad9b 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1690,6 +1690,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
s->avctx->sample_aspect_ratio.num,
s->avctx->sample_aspect_ratio.den);
+ len -= 8;
+ if (len >= 2) {
t_w = get_bits(&s->gb, 8);
t_h = get_bits(&s->gb, 8);
if (t_w && t_h) {
@@ -1697,7 +1699,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
if (len -10 - (t_w * t_h * 3) > 0)
len -= t_w * t_h * 3;
}
- len -= 10;
+ len -= 2;
+ }
goto out;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-30 11:56:32 +0000