diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-05-26 20:05:30 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-05-26 20:15:50 +0200 |
| commit | cb39dfb87009106395689373f7c1bd0df1dead17 (patch) | |
| tree | e7055114ca8ac5ac63ae8a656903458dd9bfb813 /libavcodec | |
| parent | 9ea242962c4093a5523deef124a98193bbb36730 (diff) | |
| download | ffmpeg-cb39dfb87009106395689373f7c1bd0df1dead17.tar.gz | |
j2k/jpeg2000: check cblk size
This is based on j2k FCD which is ambigous thus the limit
might be tighter.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/j2kdec.c | 11 | ||||
| -rw-r--r-- | libavcodec/jpeg2000dec.c | 10 |
2 files changed, 17 insertions, 4 deletions
diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 0c88ba9423..f3b9ad13cd 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -233,8 +233,15 @@ static int get_cox(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c) if (bytestream2_get_bytes_left(&s->g) < 5) return AVERROR(EINVAL); c->nreslevels = bytestream2_get_byteu(&s->g) + 1; // num of resolution levels - 1 - c->log2_cblk_width = bytestream2_get_byteu(&s->g) + 2; // cblk width - c->log2_cblk_height = bytestream2_get_byteu(&s->g) + 2; // cblk height + + c->log2_cblk_width = (bytestream2_get_byteu(&s->g) & 15) + 2; // cblk width + c->log2_cblk_height = (bytestream2_get_byteu(&s->g) & 15) + 2; // cblk height + + if (c->log2_cblk_width > 10 || c->log2_cblk_height > 10 || + c->log2_cblk_width + c->log2_cblk_height > 14) { + av_log(s->avctx, AV_LOG_ERROR, "cblk size invalid\n"); + return AVERROR_INVALIDDATA; + } c->cblk_style = bytestream2_get_byteu(&s->g); if (c->cblk_style != 0) { // cblk style diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b451c38176..6bd9eb01a4 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -263,8 +263,14 @@ static int get_cox(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c) else c->nreslevels2decode = c->nreslevels - s->reduction_factor; - c->log2_cblk_width = bytestream2_get_byteu(&s->g) + 2; // cblk width - c->log2_cblk_height = bytestream2_get_byteu(&s->g) + 2; // cblk height + c->log2_cblk_width = (bytestream2_get_byteu(&s->g) & 15) + 2; // cblk width + c->log2_cblk_height = (bytestream2_get_byteu(&s->g) & 15) + 2; // cblk height + + if (c->log2_cblk_width > 10 || c->log2_cblk_height > 10 || + c->log2_cblk_width + c->log2_cblk_height > 14) { + av_log(s->avctx, AV_LOG_ERROR, "cblk size invalid\n"); + return AVERROR_INVALIDDATA; + } c->cblk_style = bytestream2_get_byteu(&s->g); if (c->cblk_style != 0) { // cblk style |