Message ID | 201705021613.07779.cehoyos@ag.or.at |
---|---|
State | Accepted |
Commit | a75ef1506a62ff21f3e282d76978b28ffc305c64 |
Headers | show |
On Tue, May 02, 2017 at 04:13:07PM +0200, Carl Eugen Hoyos wrote: > Hi! > > The atom2_size variable when reading the inner atoms of a jp2 header > is not reduced after reading the first 64 bit of the atom, the > variable is used later for several checks to avoid overreads. > > Please comment, Carl Eugen LGTM, thx [...]
2017-05-02 21:06 GMT+02:00 Michael Niedermayer <michael@niedermayer.cc>: > On Tue, May 02, 2017 at 04:13:07PM +0200, Carl Eugen Hoyos wrote: >> Hi! >> >> The atom2_size variable when reading the inner atoms of a jp2 header >> is not reduced after reading the first 64 bit of the atom, the >> variable is used later for several checks to avoid overreads. >> >> Please comment, Carl Eugen > > LGTM, thx Patch applied. Thank you, Carl Eugen
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index e9f5f51..ab814ca 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1982,6 +1982,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom2_end = bytestream2_tell(&s->g) + atom2_size - 8; if (atom2_size < 8 || atom2_end > atom_end || atom2_end < atom2_size) break; + atom2_size -= 8; if (atom2 == JP2_CODESTREAM) { return 1; } else if (atom2 == MKBETAG('c','o','l','r') && atom2_size >= 7) {
Hi! The atom2_size variable when reading the inner atoms of a jp2 header is not reduced after reading the first 64 bit of the atom, the variable is used later for several checks to avoid overreads. Please comment, Carl Eugen From 8519c62b141953ecbd47f4eb9572a54db29bfec3 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos <cehoyos@ag.or.at> Date: Tue, 2 May 2017 16:09:11 +0200 Subject: [PATCH] lavc/jpeg2000dec: Fix jp2 inner atom size used for overread checks. --- libavcodec/jpeg2000dec.c | 1 + 1 file changed, 1 insertion(+)