Merge commit '1018a92219a38a812cf97761c6b3a5e66a400f4b'
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 10 Oct 2013 07:55:17 +0000 (09:55 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Thu, 10 Oct 2013 08:32:04 +0000 (10:32 +0200)
* commit '1018a92219a38a812cf97761c6b3a5e66a400f4b':
  jpeg2000: Check block length

See: 914ab4cd1c59eae10771f2d6a892ec6b6f36b0e2
See: 582f53349eabd75164d4389503eb95048982cfdc
Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/jpeg2000dec.c

@@@ -789,14 -703,25 +789,18 @@@ static int jpeg2000_decode_packet(Jpeg2
          nb_code_blocks = prec->nb_codeblocks_height * prec->nb_codeblocks_width;
          for (cblkno = 0; cblkno < nb_code_blocks; cblkno++) {
              Jpeg2000Cblk *cblk = prec->cblk + cblkno;
 -            if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc)
 +            if (   bytestream2_get_bytes_left(&s->g) < cblk->lengthinc
 +                || sizeof(cblk->data) < cblk->length + cblk->lengthinc + 2
-             )
++            ) {
++                av_log(s->avctx, AV_LOG_ERROR,
++                       "Block length %d or lengthinc %d is too large\n",
++                       cblk->length, cblk->lengthinc);
                  return AVERROR_INVALIDDATA;
 -            /* Code-block data can be empty. In that case initialize data
 -             * with 0xFFFF. */
 -            if (cblk->lengthinc > 0) {
 -                bytestream2_get_bufferu(&s->g, cblk->data, cblk->lengthinc);
 -            } else {
 -                cblk->data[0] = 0xFF;
 -                cblk->data[1] = 0xFF;
+             }
 +
 +            bytestream2_get_bufferu(&s->g, cblk->data + cblk->length, cblk->lengthinc);
              cblk->length   += cblk->lengthinc;
              cblk->lengthinc = 0;
 -
 -            if (cblk->length > sizeof(cblk->data)) {
 -                av_log(s->avctx, AV_LOG_ERROR,
 -                       "Block length %d > data size %zd\n",
 -                       cblk->length, sizeof(cblk->data));
 -                return AVERROR_INVALIDDATA;
 -            }
          }
      }
      return 0;