Merge remote-tracking branch 'qatar/master'
authorMichael Niedermayer <michaelni@gmx.at>
Sun, 30 Jun 2013 12:04:22 +0000 (14:04 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 30 Jun 2013 12:11:38 +0000 (14:11 +0200)
* qatar/master:
  mjpeg: Check the unescaped size for overflows

Conflicts:
libavcodec/mjpegdec.c

See: a9456c7c5ca883b5a3947e59a9fba5587e18e119

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/mjpegdec.c

@@@ -1667,12 -1478,14 +1668,15 @@@ int ff_mjpeg_decode_frame(AVCodecContex
                     start_code, unescaped_buf_size, buf_size);
              return AVERROR_INVALIDDATA;
          }
 -
          av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n",
                 start_code, buf_end - buf_ptr);
-         if ((ret = init_get_bits8(&s->gb, unescaped_buf_ptr, unescaped_buf_size)) < 0) {
 -        ret = init_get_bits(&s->gb, unescaped_buf_ptr,
 -                            unescaped_buf_size * 8);
 -        if (ret < 0)
 -            return ret;
++        ret = init_get_bits8(&s->gb, unescaped_buf_ptr, unescaped_buf_size);
++
++        if (ret < 0) {
 +            av_log(avctx, AV_LOG_ERROR, "invalid buffer\n");
 +            goto fail;
 +        }
  
          s->start_code = start_code;
          if (s->avctx->debug & FF_DEBUG_STARTCODE)