avcodec/mjpegdec: fix overread in find_marker()

Found-by: Laurent Butti <laurentb@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avcodec/mjpegdec: fix overread in find_marker()
Found-by: Laurent Butti <laurentb@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
16a0d75c · Michael Niedermayer · 2baa12f1 · 16a0d75c
Commit 16a0d75c authored Aug 23, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

mjpegdec.c libavcodec/mjpegdec.c +2 -1

No files found.
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1610,7 +1610,7 @@ static int find_marker(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
    int skipped = 0;

    buf_ptr = *pbuf_ptr;
-    while (buf_ptr < buf_end) {
+    while (buf_end - buf_ptr > 1) {
        v  = *buf_ptr++;
        v2 = *buf_ptr;
        if ((v == 0xff) && (v2 >= 0xc0) && (v2 <= 0xfe) && buf_ptr < buf_end) {
@@ -1619,6 +1619,7 @@ static int find_marker(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
        }
        skipped++;
    }
+    buf_ptr = buf_end;
    val = -1;
 found:
    av_dlog(NULL, "find_marker skipped %d bytes\n", skipped);