mjpegdec: tighten unescaped_buf_size size check, prevent null ptr deref

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

mjpegdec: tighten unescaped_buf_size size check, prevent null ptr deref
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
a9456c7c · Michael Niedermayer · abe68364 · a9456c7c
Commit a9456c7c authored Nov 12, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

mjpegdec.c libavcodec/mjpegdec.c +1 -1

No files found.
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1611,7 +1611,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        /* EOF */
        if (start_code < 0) {
            goto the_end;
-        } else if (unescaped_buf_size > (1U<<29)) {
+        } else if (unescaped_buf_size > (1U<<28)) {
            av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n",
                   start_code, unescaped_buf_size, buf_size);
            return AVERROR_INVALIDDATA;