Message ID | CAPYw7P70OotnaF1cdwJ8B9pBCB7SDrSeQp_dj2AA2LKUhfSvfA@mail.gmail.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel] avcodec/mjpegdec: check that component index is positive | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | fail | Make fate failed |
Quoting Paul B Mahol (2022-09-25 19:16:43) > Patch attached > > From 0a28ae573654d05ef56cafbb169674b1829f0c6f Mon Sep 17 00:00:00 2001 > From: Paul B Mahol <onemda@gmail.com> > Date: Sun, 25 Sep 2022 19:17:25 +0200 > Subject: [PATCH] avcodec/mjpegdec: check that index is not negative > > Signed-off-by: Paul B Mahol <onemda@gmail.com> > --- > libavcodec/mjpegdec.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c > index c594950500..57c7c1c80d 100644 > --- a/libavcodec/mjpegdec.c > +++ b/libavcodec/mjpegdec.c > @@ -374,6 +374,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) > for (i = 0; i < nb_components; i++) { > /* component id */ > s->component_id[i] = get_bits(&s->gb, 8) - 1; > + if (s->component_id[i] < 0) It's generally safer to not leave invalid values lying around, so better to first check and only then write into the context.
From 0a28ae573654d05ef56cafbb169674b1829f0c6f Mon Sep 17 00:00:00 2001 From: Paul B Mahol <onemda@gmail.com> Date: Sun, 25 Sep 2022 19:17:25 +0200 Subject: [PATCH] avcodec/mjpegdec: check that index is not negative Signed-off-by: Paul B Mahol <onemda@gmail.com> --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index c594950500..57c7c1c80d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -374,6 +374,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) for (i = 0; i < nb_components; i++) { /* component id */ s->component_id[i] = get_bits(&s->gb, 8) - 1; + if (s->component_id[i] < 0) + return AVERROR_INVALIDDATA; h_count[i] = get_bits(&s->gb, 4); v_count[i] = get_bits(&s->gb, 4); /* compute hmax and vmax (only used in interleaved case) */ @@ -1678,6 +1680,8 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, } for (i = 0; i < nb_components; i++) { id = get_bits(&s->gb, 8) - 1; + if (id < 0) + return AVERROR_INVALIDDATA; av_log(s->avctx, AV_LOG_DEBUG, "component: %d\n", id); /* find component index */ for (index = 0; index < s->nb_components; index++) -- 2.37.2