avcodec/jpeg2000dec: check len before parsing header

Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-06-14 19:20:10 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-06-14 19:34:00 +0200
commit: 69e4d8e6a4cefdf1b19f5d4d1293aa881d6064e8 (patch)
tree: 62226531e10e27598e5f12ae24250f66cc099982 /libavcodec
parent: 5deb96c5641c58d4c1a820971347c3f76cc945d4 (diff)
download: ffmpeg-69e4d8e6a4cefdf1b19f5d4d1293aa881d6064e8.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 11fa7f63ac..f821292769 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1249,9 +1249,9 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)
         if (marker == JPEG2000_EOC)
             break;
 
-        if (bytestream2_get_bytes_left(&s->g) < 2)
+        len = bytestream2_get_be16(&s->g);
+        if (len < 2 || bytestream2_get_bytes_left(&s->g) < len - 2)
             return AVERROR(EINVAL);
-        len = bytestream2_get_be16u(&s->g);
         switch (marker) {
         case JPEG2000_SIZ:
             ret = get_siz(s);
author	Michael Niedermayer <michaelni@gmx.at>	2013-06-14 19:20:10 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-06-14 19:34:00 +0200
commit	69e4d8e6a4cefdf1b19f5d4d1293aa881d6064e8 (patch)
tree	62226531e10e27598e5f12ae24250f66cc099982 /libavcodec
parent	5deb96c5641c58d4c1a820971347c3f76cc945d4 (diff)
download	ffmpeg-69e4d8e6a4cefdf1b19f5d4d1293aa881d6064e8.tar.gz