avcodec/mjpegdec: fix overread in find_marker()
authorMichael Niedermayer <michaelni@gmx.at>
Fri, 23 Aug 2013 02:14:08 +0000 (04:14 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 23 Aug 2013 02:44:55 +0000 (04:44 +0200)
Found-by: Laurent Butti <laurentb@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/mjpegdec.c

index 6e16152..f71acc2 100644 (file)
@@ -1610,7 +1610,7 @@ static int find_marker(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
     int skipped = 0;
 
     buf_ptr = *pbuf_ptr;
     int skipped = 0;
 
     buf_ptr = *pbuf_ptr;
-    while (buf_ptr < buf_end) {
+    while (buf_end - buf_ptr > 1) {
         v  = *buf_ptr++;
         v2 = *buf_ptr;
         if ((v == 0xff) && (v2 >= 0xc0) && (v2 <= 0xfe) && buf_ptr < buf_end) {
         v  = *buf_ptr++;
         v2 = *buf_ptr;
         if ((v == 0xff) && (v2 >= 0xc0) && (v2 <= 0xfe) && buf_ptr < buf_end) {
@@ -1619,6 +1619,7 @@ static int find_marker(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
         }
         skipped++;
     }
         }
         skipped++;
     }
+    buf_ptr = buf_end;
     val = -1;
 found:
     av_dlog(NULL, "find_marker skipped %d bytes\n", skipped);
     val = -1;
 found:
     av_dlog(NULL, "find_marker skipped %d bytes\n", skipped);