avcodec/jpeglsdec: Check run value more completely in ls_decode_line()

previously it could have been by 1 too large Fixes out of array access Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avcodec/jpeglsdec: Check run value more completely in ls_decode_line()
previously it could have been by 1 too large Fixes out of array access Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
06e7d584 · Michael Niedermayer · 77b3e110 · 06e7d584
Commit 06e7d584 authored Oct 02, 2014 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

jpeglsdec.c libavcodec/jpeglsdec.c +5 -0

No files found.
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -269,6 +269,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s,
                x += stride;
            }

+            if (x >= w) {
+                av_log(NULL, AV_LOG_ERROR, "run overflow\n");
+                return;
+            }
+
            /* decode run termination value */
            Rb     = R(last, x);
            RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0;