Add a few size checks when decoding rtjpeg blocks.

Might avoid crashes in unlikely cases, but mostly avoids ugly artefacts for partial frames. Originally committed as revision 18925 to svn://svn.ffmpeg.org/ffmpeg/trunk

Add a few size checks when decoding rtjpeg blocks.
Might avoid crashes in unlikely cases, but mostly avoids ugly artefacts for partial frames. Originally committed as revision 18925 to svn://svn.ffmpeg.org/ffmpeg/trunk
8d857c54 · Reimar Döffinger · 0766291a · 8d857c54
Commit 8d857c54 authored May 24, 2009 by Reimar Döffinger
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

rtjpeg.c libavcodec/rtjpeg.c +7 -0

No files found.
--- a/libavcodec/rtjpeg.c
+++ b/libavcodec/rtjpeg.c
@@ -55,6 +55,9 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc

    // number of non-zero coefficients
    coeff = get_bits(gb, 6);
+    if (get_bits_count(gb) + (coeff << 1) >= gb->size_in_bits)
+        return 0;
+
    // normally we would only need to clear the (63 - coeff) last values,
    // but since we do not know where they are we just clear the whole block
    memset(block, 0, 64 * sizeof(DCTELEM));
@@ -69,6 +72,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc

    // 4 bits per coefficient
    ALIGN(4);
+    if (get_bits_count(gb) + (coeff << 2) >= gb->size_in_bits)
+        return 0;
    while (coeff) {
        ac = get_sbits(gb, 4);
        if (ac == -8)
@@ -78,6 +83,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc

    // 8 bits per coefficient
    ALIGN(8);
+    if (get_bits_count(gb) + (coeff << 3) >= gb->size_in_bits)
+        return 0;
    while (coeff) {
        ac = get_sbits(gb, 8);
        PUT_COEFF(ac);