jv demuxer: prevent video packet size overflow

In the event of overflow, the JV_PADDING state will avio_skip over any overflow bytes (using JVFrame.total_size). Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

jv demuxer: prevent video packet size overflow
In the event of overflow, the JV_PADDING state will avio_skip over any overflow bytes (using JVFrame.total_size). Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
7f05c164 · Peter Ross · Ronald S. Bultje · 772cb062 · 7f05c164
Commit 7f05c164 authored Mar 13, 2011 by Peter Ross Committed by Ronald S. Bultje Mar 14, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

jvdec.c libavformat/jvdec.c +2 -0

No files found.
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -116,6 +116,8 @@ static int read_header(AVFormatContext *s,
        jvf->audio_size = avio_rl32(pb);
        jvf->video_size = avio_rl32(pb);
        jvf->palette_size = avio_r8(pb) ? 768 : 0;
+        jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0),
+                                INT_MAX - JV_PREAMBLE_SIZE - jvf->palette_size);
        if (avio_r8(pb))
             av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
        jvf->video_type = avio_r8(pb);