From cfbd98abe82cfcb9984a18d08697251b72b110c8 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Wed, 15 May 2013 18:41:41 +0200
Subject: mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac

Prevent out of buffer write when decoding broken samples.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/mjpegdec.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavcodec/mjpegdec.c')

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 896fa996f0..934d1a2f92 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -941,6 +941,11 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
     int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]];
     GetBitContext mb_bitmask_gb;
 
+    if (ss < 0  || ss >= 64 ||
+        se < ss || se >= 64 ||
+        Ah < 0  || Al < 0)
+        return AVERROR_INVALIDDATA;
+
     if (mb_bitmask)
         init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width * s->mb_height);
 
-- 
cgit v1.2.3