[SCM] libav/upstream.snapshot: mjpeg: Check the unescaped size for overflows
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sat Jul 13 06:29:05 UTC 2013
The following commit has been merged in the upstream.snapshot branch:
commit 2cdc97632033206d287b734365e055751a5636de
Author: Luca Barbato <lu_zero at gentoo.org>
Date: Sat Jun 29 06:07:57 2013 +0200
mjpeg: Check the unescaped size for overflows
And contextually check init_get_bits success and fix the reporting
message.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 6765ee7b9cba46818a45b051438b2552f0a1b70a)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
Conflicts:
libavcodec/mjpegdec.c
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index d47fc2c..05f2f02 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1476,15 +1476,20 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
/* EOF */
if (start_code < 0) {
goto the_end;
- } else if (unescaped_buf_size > (1U<<29)) {
- av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n",
+ } else if (unescaped_buf_size > INT_MAX / 8) {
+ av_log(avctx, AV_LOG_ERROR,
+ "MJPEG packet 0x%x too big (%d/%d), corrupt data?\n",
start_code, unescaped_buf_size, buf_size);
return AVERROR_INVALIDDATA;
} else {
av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n",
start_code, buf_end - buf_ptr);
- init_get_bits(&s->gb, unescaped_buf_ptr, unescaped_buf_size * 8);
+ ret = init_get_bits(&s->gb, unescaped_buf_ptr,
+ unescaped_buf_size * 8);
+
+ if (ret < 0)
+ return ret;
s->start_code = start_code;
if (s->avctx->debug & FF_DEBUG_STARTCODE)
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list