mjpegdec: check SE.
authorMichael Niedermayer <michaelni@gmx.at>
Sat, 10 Nov 2012 23:01:24 +0000 (00:01 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 3 Dec 2012 19:45:23 +0000 (20:45 +0100)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/mjpegdec.c

index d829b1b..0fca372 100644 (file)
@@ -1097,6 +1097,11 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
     int last_scan = 0;
     int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]];
 
+    if (se > 63) {
+        av_log(s->avctx, AV_LOG_ERROR, "SE %d is too large\n", se);
+        return AVERROR_INVALIDDATA;
+    }
+
     if (!Al) {
         s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss);
         last_scan = !~s->coefs_finished[c];