avcodec/mjpegdec: check len in mjpeg_decode_app() more completely

Avoids len from becoming negative and causing assertion failure Fixes: signal_sigabrt_7ffff7126425_5140_fd44dc63fa7bdd12ee34fc602231ef02.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avcodec/mjpegdec: check len in mjpeg_decode_app() more completely
Avoids len from becoming negative and causing assertion failure Fixes: signal_sigabrt_7ffff7126425_5140_fd44dc63fa7bdd12ee34fc602231ef02.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6060234d · Michael Niedermayer · ba992711 · 6060234d
Commit 6060234d authored Nov 22, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

mjpegdec.c libavcodec/mjpegdec.c +2 -2

No files found.
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1443,7 +1443,7 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
    int len, id, i;
    len = get_bits(&s->gb, 16);
-    if (len < 5)
+    if (len < 6)
        return AVERROR_INVALIDDATA;
    if (8 * len > get_bits_left(&s->gb))
        return AVERROR_INVALIDDATA;
@@ -1557,7 +1557,7 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
    }
    /* EXIF metadata */
-    if (s->start_code == APP1 && id == AV_RB32("Exif")) {
+    if (s->start_code == APP1 && id == AV_RB32("Exif") && len >= 2) {
        GetByteContext gbytes;
        int ret, le, ifd_offset, bytes_read;
        const uint8_t *aligned;