From aa6ff39bb093a98b338cee45af77cd6c4055b886 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 11 Jul 2005 23:39:47 +0000
Subject: check len (should fix #1165694)

Originally committed as revision 4436 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/mjpeg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'libavcodec/mjpeg.c')

diff --git a/libavcodec/mjpeg.c b/libavcodec/mjpeg.c
index 4c2b4793bf..58b5b97823 100644
--- a/libavcodec/mjpeg.c
+++ b/libavcodec/mjpeg.c
@@ -1585,10 +1585,11 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
 {
     int len, id;
 
-    /* XXX: verify len field validity */
     len = get_bits(&s->gb, 16);
     if (len < 5)
 	return -1;
+    if(8*len + get_bits_count(&s->gb) > s->gb.size_in_bits)
+        return -1;
 
     id = (get_bits(&s->gb, 16) << 16) | get_bits(&s->gb, 16);
     id = be2me_32(id);
-- 
cgit v1.2.3