From 2111a191ebec422cf7781225cbcfdd69e71afce1 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 21 Oct 2010 22:44:44 +0000
Subject: Check index in mjpeg AC decode against overflowing. This fixes a
 possibly exploitable buffer overflow and it will likely also be needed for
 future overreading fixes.

Originally committed as revision 25546 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/mjpegdec.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'libavcodec')

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index ec798594f4..ce52a08e83 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -411,7 +411,7 @@ static int decode_block(MJpegDecodeContext *s, DCTELEM *block,
     /* AC coefs */
     i = 0;
     {OPEN_READER(re, &s->gb)
-    for(;;) {
+    do {
         UPDATE_CACHE(re, &s->gb);
         GET_VLC(code, re, &s->gb, s->vlcs[1][ac_index].table, 9, 2)
 
@@ -444,7 +444,7 @@ static int decode_block(MJpegDecodeContext *s, DCTELEM *block,
             j = s->scantable.permutated[i];
             block[j] = level * quant_matrix[j];
         }
-    }
+    }while(i<63);
     CLOSE_READER(re, &s->gb)}
 
     return 0;
@@ -511,6 +511,10 @@ static int decode_block_progressive(MJpegDecodeContext *s, DCTELEM *block, uint8
         }else{
             if(run == 0xF){// ZRL - skip 15 coefficients
                 i += 15;
+                if (i >= se) {
+                    av_log(s->avctx, AV_LOG_ERROR, "ZRL overflow: %d\n", i);
+                    return -1;
+                }
             }else{
                 val = (1 << run);
                 if(run){
-- 
cgit v1.2.3