Fix heap overflow due to lack of nb_components check.

Originally committed as revision 21450 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2010-01-25 13:26:10 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2010-01-25 13:26:10 +0000
commit: 021dccba1ff01b9005199fe8671a1887a262b430 (patch)
tree: 76e60aafb0da3633d2a84bca2f04f6397b442de8 /libavcodec/mjpegdec.c
parent: cc5d4f4c348b73d33677873ede42ae7129b37955 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 86862dbd40..dc8df55d47 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -899,6 +899,10 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s)
     /* XXX: verify len field validity */
     len = get_bits(&s->gb, 16);
     nb_components = get_bits(&s->gb, 8);
+    if (nb_components == 0 || nb_components > MAX_COMPONENTS){
+        av_log(s->avctx, AV_LOG_ERROR, "decode_sos: nb_components (%d) unsupported\n", nb_components);
+        return -1;
+    }
     if (len != 6+2*nb_components)
     {
         av_log(s->avctx, AV_LOG_ERROR, "decode_sos: invalid len (%d)\n", len);
author	Michael Niedermayer <michaelni@gmx.at>	2010-01-25 13:26:10 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2010-01-25 13:26:10 +0000
commit	021dccba1ff01b9005199fe8671a1887a262b430 (patch)
tree	76e60aafb0da3633d2a84bca2f04f6397b442de8 /libavcodec/mjpegdec.c
parent	cc5d4f4c348b73d33677873ede42ae7129b37955 (diff)