Browse code
jv demuxer: prevent video packet size overflow
In the event of overflow, the JV_PADDING state will avio_skip over
any overflow bytes (using JVFrame.total_size).
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
Peter Ross authored on 2011/03/13 14:15:38Showing 1 changed files
| ... | ... |
@@ -116,6 +116,8 @@ static int read_header(AVFormatContext *s, |
| 116 | 116 |
jvf->audio_size = avio_rl32(pb); |
| 117 | 117 |
jvf->video_size = avio_rl32(pb); |
| 118 | 118 |
jvf->palette_size = avio_r8(pb) ? 768 : 0; |
| 119 |
+ jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0), |
|
| 120 |
+ INT_MAX - JV_PREAMBLE_SIZE - jvf->palette_size); |
|
| 119 | 121 |
if (avio_r8(pb)) |
| 120 | 122 |
av_log(s, AV_LOG_WARNING, "unsupported audio codec\n"); |
| 121 | 123 |
jvf->video_type = avio_r8(pb); |