diff mbox

[FFmpeg-devel] lavc/mjpegdec: Do not overread too short JFIF tag

Message ID 201701011422.23859.cehoyos@ag.or.at
State Accepted
Commit 4acea512f36b96256535b45b1a7e723c61c89c31
Headers show

Commit Message

Carl Eugen Hoyos Jan. 1, 2017, 1:22 p.m. UTC 
Hi!

Attached patch fixes ticket #6055 for me.

Please comment, Carl Eugen
From 3a9e911de8c5a4cf7748fa814e66b2e775778bfa Mon Sep 17 00:00:00 2001
From: Carl Eugen Hoyos <cehoyos@ag.or.at>
Date: Sun, 1 Jan 2017 14:19:48 +0100
Subject: [PATCH] lavc/mjpegdec: Do not overread too short JFIF tags.

Fixes ticket #6055.
---
 libavcodec/mjpegdec.c |    2 ++
 1 file changed, 2 insertions(+)

Comments

Michael Niedermayer Jan. 1, 2017, 3:22 p.m. UTC | #1 
On Sun, Jan 01, 2017 at 02:22:23PM +0100, Carl Eugen Hoyos wrote:
> Hi!
> 
> Attached patch fixes ticket #6055 for me.
> 
> Please comment, Carl Eugen

LGTM

thx

[...]
Carl Eugen Hoyos Jan. 1, 2017, 6:57 p.m. UTC | #2 
2017-01-01 16:22 GMT+01:00 Michael Niedermayer <michael@niedermayer.cc>:
> On Sun, Jan 01, 2017 at 02:22:23PM +0100, Carl Eugen Hoyos wrote:
>> Hi!
>>
>> Attached patch fixes ticket #6055 for me.
>>
>> Please comment, Carl Eugen
>
> LGTM

Patch applied.

Thank you, Carl Eugen
diff mbox

Patch

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index eee8d58..e0b22ec 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1670,6 +1670,8 @@  static int mjpeg_decode_app(MJpegDecodeContext *s)
 
     if (id == AV_RB32("JFIF")) {
         int t_w, t_h, v1, v2;
+        if (len < 8)
+            goto out;
         skip_bits(&s->gb, 8); /* the trailing zero-byte */
         v1 = get_bits(&s->gb, 8);
         v2 = get_bits(&s->gb, 8);