jpegls: check the scan offset
authorLuca Barbato <lu_zero@gentoo.org>
Fri, 17 May 2013 11:08:55 +0000 (13:08 +0200)
committerLuca Barbato <lu_zero@gentoo.org>
Fri, 17 May 2013 14:44:13 +0000 (16:44 +0200)
Prevent an out of array bound write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
libavcodec/jpeglsdec.c

index 3616063bf14c129731ebf253f55e37741f4f6160..df72ca338f2fa045925aded463a686891bb382c5 100644 (file)
@@ -306,6 +306,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
     av_dlog(s->avctx, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n",
             ilv, point_transform, s->bits, s->cur_scan);
     if (ilv == 0) { /* separate planes */
+        if (s->cur_scan > s->nb_components) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
         off    = s->cur_scan - 1;
         stride = (s->nb_components > 1) ? 3 : 1;
         width  = s->width * stride;