Merge remote-tracking branch 'qatar/master'

* qatar/master: mjpeg: Check the unescaped size for overflows Conflicts: libavcodec/mjpegdec.c See: a9456c7cMerged-by: Michael Niedermayer <michaelni@gmx.at>

Merge remote-tracking branch 'qatar/master'
* qatar/master: mjpeg: Check the unescaped size for overflows Conflicts: libavcodec/mjpegdec.c See: a9456c7cMerged-by: Michael Niedermayer <michaelni@gmx.at>
afddf0d9 · Michael Niedermayer · e3fb8ac9 · 6765ee7b · afddf0d9
Commit afddf0d9 authored Jun 30, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

mjpegdec.c libavcodec/mjpegdec.c +7 -3

No files found.
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1662,14 +1662,18 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        /* EOF */
        if (start_code < 0) {
            goto the_end;
-        } else if (unescaped_buf_size > (1U<<28)) {
-            av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n",
+        } else if (unescaped_buf_size > INT_MAX / 8) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "MJPEG packet 0x%x too big (%d/%d), corrupt data?\n",
                   start_code, unescaped_buf_size, buf_size);
            return AVERROR_INVALIDDATA;
        }
        av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n",
               start_code, buf_end - buf_ptr);
-        if ((ret = init_get_bits8(&s->gb, unescaped_buf_ptr, unescaped_buf_size)) < 0) {
+
+        ret = init_get_bits8(&s->gb, unescaped_buf_ptr, unescaped_buf_size);
+
+        if (ret < 0) {
            av_log(avctx, AV_LOG_ERROR, "invalid buffer\n");
            goto fail;
        }