mjpegbdec: Fix overflow in SOS.
authorAlex Converse <alex.converse@gmail.com>
Wed, 25 Jan 2012 21:39:24 +0000 (13:39 -0800)
committerReinhard Tartler <siretart@tauware.de>
Sat, 21 Apr 2012 13:42:28 +0000 (15:42 +0200)
Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93e8df15fe5f364535a7214be0817736)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ca010f20965ef71d97a53e871edae2eb9c05a5f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavcodec/mjpegbdec.c

index 62b29e0..f19a87f 100644 (file)
@@ -49,6 +49,9 @@ read_header:
     s->restart_count = 0;
     s->mjpb_skiptosod = 0;
 
+    if (buf_end - buf_ptr >= 1 << 28)
+        return AVERROR_INVALIDDATA;
+
     init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);
 
     skip_bits(&hgb, 32); /* reserved zeros */
@@ -99,8 +102,8 @@ read_header:
     av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
     if (sos_offs)
     {
-//        init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
-        init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
+        init_get_bits(&s->gb, buf_ptr + sos_offs,
+                      8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
         s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
         s->start_code = SOS;
         ff_mjpeg_decode_sos(s);