From 8d857c543402911f46ad38b093ab9aaf5b9a9a18 Mon Sep 17 00:00:00 2001 From: Reimar Döffinger Date: Sun, 24 May 2009 09:03:45 +0000 Subject: Add a few size checks when decoding rtjpeg blocks. Might avoid crashes in unlikely cases, but mostly avoids ugly artefacts for partial frames. Originally committed as revision 18925 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/rtjpeg.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'libavcodec/rtjpeg.c') diff --git a/libavcodec/rtjpeg.c b/libavcodec/rtjpeg.c index 2736807439..ec31656a09 100644 --- a/libavcodec/rtjpeg.c +++ b/libavcodec/rtjpeg.c @@ -55,6 +55,9 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc // number of non-zero coefficients coeff = get_bits(gb, 6); + if (get_bits_count(gb) + (coeff << 1) >= gb->size_in_bits) + return 0; + // normally we would only need to clear the (63 - coeff) last values, // but since we do not know where they are we just clear the whole block memset(block, 0, 64 * sizeof(DCTELEM)); @@ -69,6 +72,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc // 4 bits per coefficient ALIGN(4); + if (get_bits_count(gb) + (coeff << 2) >= gb->size_in_bits) + return 0; while (coeff) { ac = get_sbits(gb, 4); if (ac == -8) @@ -78,6 +83,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc // 8 bits per coefficient ALIGN(8); + if (get_bits_count(gb) + (coeff << 3) >= gb->size_in_bits) + return 0; while (coeff) { ac = get_sbits(gb, 8); PUT_COEFF(ac); -- cgit v1.2.3