mjpeg: Detect overreads in mjpeg_decode_scan() and error out.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Ronald S. Bultje <rbultje@google.com>
author: Michael Niedermayer <michaelni@gmx.at> 2011-04-21 22:03:24 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2011-04-26 09:29:08 +0200
commit: 76cd98b445c5a1608e9a5974bef0b0be6b35f1ce (patch)
tree: 1dce7bafdab6266fb8f4c6b554d7e3f1d39ba913
parent: 4bc282322ba1c03ed98737740f6b5e17b604ffa1 (diff)
download: android_external_ffmpeg-76cd98b445c5a1608e9a5974bef0b0be6b35f1ce.tar.gz
android_external_ffmpeg-76cd98b445c5a1608e9a5974bef0b0be6b35f1ce.tar.bz2
android_external_ffmpeg-76cd98b445c5a1608e9a5974bef0b0be6b35f1ce.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 6f29e466eb..fa2c505837 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -826,6 +826,10 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
             if (s->restart_interval && !s->restart_count)
                 s->restart_count = s->restart_interval;
 
+            if(get_bits_count(&s->gb)>s->gb.size_in_bits){
+                av_log(s->avctx, AV_LOG_ERROR, "overread %d\n", get_bits_count(&s->gb) - s->gb.size_in_bits);
+                return -1;
+            }
             for(i=0;i<nb_components;i++) {
                 uint8_t *ptr;
                 int n, h, v, x, y, c, j;
author	Michael Niedermayer <michaelni@gmx.at>	2011-04-21 22:03:24 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2011-04-26 09:29:08 +0200
commit	76cd98b445c5a1608e9a5974bef0b0be6b35f1ce (patch)
tree	1dce7bafdab6266fb8f4c6b554d7e3f1d39ba913
parent	4bc282322ba1c03ed98737740f6b5e17b604ffa1 (diff)
download	android_external_ffmpeg-76cd98b445c5a1608e9a5974bef0b0be6b35f1ce.tar.gz android_external_ffmpeg-76cd98b445c5a1608e9a5974bef0b0be6b35f1ce.tar.bz2 android_external_ffmpeg-76cd98b445c5a1608e9a5974bef0b0be6b35f1ce.zip