* check for potentialy problematic field len
Originally committed as revision 1572 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Zdenek Kabelac
parent
b29f97d136
commit
dce778e0ea
1 changed files with 22 additions and 20 deletions
|
|
@ -1262,16 +1262,16 @@ out:
|
||||||
|
|
||||||
static int mjpeg_decode_com(MJpegDecodeContext *s)
|
static int mjpeg_decode_com(MJpegDecodeContext *s)
|
||||||
{
|
{
|
||||||
int i;
|
|
||||||
UINT8 *cbuf;
|
|
||||||
|
|
||||||
/* XXX: verify len field validity */
|
/* XXX: verify len field validity */
|
||||||
unsigned int len = get_bits(&s->gb, 16)-2;
|
unsigned int len = get_bits(&s->gb, 16);
|
||||||
cbuf = av_malloc(len+1);
|
if (len >= 2 && len < 32768) {
|
||||||
|
/* XXX: any better upper bound */
|
||||||
for (i = 0; i < len; i++)
|
UINT8 *cbuf = av_malloc(len - 1);
|
||||||
|
if (cbuf) {
|
||||||
|
int i;
|
||||||
|
for (i = 0; i < len - 2; i++)
|
||||||
cbuf[i] = get_bits(&s->gb, 8);
|
cbuf[i] = get_bits(&s->gb, 8);
|
||||||
if (cbuf[i-1] == '\n')
|
if (i > 0 && cbuf[i-1] == '\n')
|
||||||
cbuf[i-1] = 0;
|
cbuf[i-1] = 0;
|
||||||
else
|
else
|
||||||
cbuf[i] = 0;
|
cbuf[i] = 0;
|
||||||
|
|
@ -1287,6 +1287,8 @@ static int mjpeg_decode_com(MJpegDecodeContext *s)
|
||||||
}
|
}
|
||||||
|
|
||||||
av_free(cbuf);
|
av_free(cbuf);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue