Browse code
Check for out of bound reads in jpeg 2000 decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Laurent Aimar authored on 2011/09/29 08:04:53Showing 1 changed files
| ... | ... |
@@ -961,18 +961,20 @@ static int decode_codestream(J2kDecoderContext *s) |
| 961 | 961 |
|
| 962 | 962 |
static int jp2_find_codestream(J2kDecoderContext *s) |
| 963 | 963 |
{
|
| 964 |
- int32_t atom_size; |
|
| 964 |
+ uint32_t atom_size; |
|
| 965 | 965 |
int found_codestream = 0, search_range = 10; |
| 966 | 966 |
|
| 967 | 967 |
// skip jpeg2k signature atom |
| 968 | 968 |
s->buf += 12; |
| 969 | 969 |
|
| 970 |
- while(!found_codestream && search_range) {
|
|
| 970 |
+ while(!found_codestream && search_range && s->buf_end - s->buf >= 8) {
|
|
| 971 | 971 |
atom_size = AV_RB32(s->buf); |
| 972 | 972 |
if(AV_RB32(s->buf + 4) == JP2_CODESTREAM) {
|
| 973 | 973 |
found_codestream = 1; |
| 974 | 974 |
s->buf += 8; |
| 975 | 975 |
} else {
|
| 976 |
+ if (s->buf_end - s->buf < atom_size) |
|
| 977 |
+ return 0; |
|
| 976 | 978 |
s->buf += atom_size; |
| 977 | 979 |
search_range--; |
| 978 | 980 |
} |
| ... | ... |
@@ -1005,7 +1007,8 @@ static int decode_frame(AVCodecContext *avctx, |
| 1005 | 1005 |
return AVERROR(EINVAL); |
| 1006 | 1006 |
|
| 1007 | 1007 |
// check if the image is in jp2 format |
| 1008 |
- if((AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && |
|
| 1008 |
+ if(s->buf_end - s->buf >= 12 && |
|
| 1009 |
+ (AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && |
|
| 1009 | 1010 |
(AV_RB32(s->buf + 8) == JP2_SIG_VALUE)) {
|
| 1010 | 1011 |
if(!jp2_find_codestream(s)) {
|
| 1011 | 1012 |
av_log(avctx, AV_LOG_ERROR, "couldn't find jpeg2k codestream atom\n"); |