mjpeg: Detect overreads in mjpeg_decode_scan() and error out.
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 21 Apr 2011 20:03:24 +0000 (22:03 +0200)
committerReinhard Tartler <siretart@sandy.tauware.de>
Sat, 30 Apr 2011 06:12:10 +0000 (08:12 +0200)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Ronald S. Bultje <rbultje@google.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0d9cba562b88899f0769e686d19b7953f589069b)

libavcodec/mjpegdec.c

index 7f57af9..9f2f88b 100644 (file)
@@ -792,6 +792,10 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
             if (s->restart_interval && !s->restart_count)
                 s->restart_count = s->restart_interval;
 
+            if(get_bits_count(&s->gb)>s->gb.size_in_bits){
+                av_log(s->avctx, AV_LOG_ERROR, "overread %d\n", get_bits_count(&s->gb) - s->gb.size_in_bits);
+                return -1;
+            }
             for(i=0;i<nb_components;i++) {
                 uint8_t *ptr;
                 int n, h, v, x, y, c, j;