From patchwork Tue May 2 14:13:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Carl Eugen Hoyos X-Patchwork-Id: 3547 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.3.129 with SMTP id 123csp1903956vsd; Tue, 2 May 2017 07:13:27 -0700 (PDT) X-Received: by 10.223.155.2 with SMTP id b2mr19749174wrc.87.1493734406942; Tue, 02 May 2017 07:13:26 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id v11si246154wmd.100.2017.05.02.07.13.26; Tue, 02 May 2017 07:13:26 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D84F96883DA; Tue, 2 May 2017 17:13:19 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-qmta-pe01-1.mx.upcmail.net (vie01a-qmta-pe01-1.mx.upcmail.net [62.179.121.178]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5ECA868832A for ; Tue, 2 May 2017 17:13:13 +0300 (EEST) Received: from [172.31.218.43] (helo=vie01a-dmta-pe05-1.mx.upcmail.net) by vie01a-pqmta-pe01.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1d5YYG-0002LZ-PZ for ffmpeg-devel@ffmpeg.org; Tue, 02 May 2017 16:13:16 +0200 Received: from [172.31.216.44] (helo=vie01a-pemc-psmtp-pe02) by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1d5YYB-0006P3-2H for ffmpeg-devel@ffmpeg.org; Tue, 02 May 2017 16:13:11 +0200 Received: from [192.168.1.3] ([80.110.84.10]) by vie01a-pemc-psmtp-pe02 with SMTP @ mailcloud.upcmail.net id FSD71v01j0DNLPk01SD8mS; Tue, 02 May 2017 16:13:09 +0200 X-SourceIP: 80.110.84.10 From: Carl Eugen Hoyos To: FFmpeg development discussions and patches Date: Tue, 2 May 2017 16:13:07 +0200 User-Agent: KMail/1.9.10 MIME-Version: 1.0 Message-Id: <201705021613.07779.cehoyos@ag.or.at> Subject: [FFmpeg-devel] [PATCH]lavc/jpeg2000dec: Fix jp2 inner atom size used for overread checks X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Hi! The atom2_size variable when reading the inner atoms of a jp2 header is not reduced after reading the first 64 bit of the atom, the variable is used later for several checks to avoid overreads. Please comment, Carl Eugen From 8519c62b141953ecbd47f4eb9572a54db29bfec3 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 2 May 2017 16:09:11 +0200 Subject: [PATCH] lavc/jpeg2000dec: Fix jp2 inner atom size used for overread checks. --- libavcodec/jpeg2000dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index e9f5f51..ab814ca 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1982,6 +1982,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom2_end = bytestream2_tell(&s->g) + atom2_size - 8; if (atom2_size < 8 || atom2_end > atom_end || atom2_end < atom2_size) break; + atom2_size -= 8; if (atom2 == JP2_CODESTREAM) { return 1; } else if (atom2 == MKBETAG('c','o','l','r') && atom2_size >= 7) {