jvdec: Do not feed the decoder with known wrong data

Still assume the size value is right in non-explode mode.
author: Luca Barbato <lu_zero@gentoo.org> 2013-12-13 03:07:57 +0100
committer: Luca Barbato <lu_zero@gentoo.org> 2013-12-20 17:44:20 +0100
commit: 15739a9bd19a7d47ad8afb25348c684a3bdd6ef2 (patch)
tree: 7bc6108a8f25d2e310df2adf8466673b21cfada2 /libavformat/jvdec.c
parent: e518cb863edc931888ccca6cad86f73ca7430cef (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 6bf220fed2..17ce3263fa 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -128,10 +128,23 @@ static int read_header(AVFormatContext *s)
         jvf->audio_size = avio_rl32(pb);
         jvf->video_size = avio_rl32(pb);
         jvf->palette_size = avio_r8(pb) ? 768 : 0;
-        jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0),
-                                INT_MAX - JV_PREAMBLE_SIZE - jvf->palette_size);
+
+        if ((jvf->video_size | jvf->audio_size) & ~0xFFFFFF ||
+            e->size - jvf->audio_size
+                    - jvf->video_size
+                    - jvf->palette_size < 0) {
+            if (s->error_recognition & AV_EF_EXPLODE) {
+                read_close(s);
+                return AVERROR_INVALIDDATA;
+            }
+            jvf->audio_size =
+            jvf->video_size =
+            jvf->palette_size = 0;
+        }
+
         if (avio_r8(pb))
              av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
+
         jvf->video_type = avio_r8(pb);
         avio_skip(pb, 1);
author	Luca Barbato <lu_zero@gentoo.org>	2013-12-13 03:07:57 +0100
committer	Luca Barbato <lu_zero@gentoo.org>	2013-12-20 17:44:20 +0100
commit	15739a9bd19a7d47ad8afb25348c684a3bdd6ef2 (patch)
tree	7bc6108a8f25d2e310df2adf8466673b21cfada2 /libavformat/jvdec.c
parent	e518cb863edc931888ccca6cad86f73ca7430cef (diff)