Commit dc35a581 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/mjpegdec: Check len in ff_mjpeg_decode_dqt()

Fixes CID1239060
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 6d3f1783
...@@ -163,6 +163,11 @@ int ff_mjpeg_decode_dqt(MJpegDecodeContext *s) ...@@ -163,6 +163,11 @@ int ff_mjpeg_decode_dqt(MJpegDecodeContext *s)
len = get_bits(&s->gb, 16) - 2; len = get_bits(&s->gb, 16) - 2;
if (8*len > get_bits_left(&s->gb)) {
av_log(s->avctx, AV_LOG_ERROR, "dqt: len %d is too large\n", len);
return AVERROR_INVALIDDATA;
}
while (len >= 65) { while (len >= 65) {
int pr = get_bits(&s->gb, 4); int pr = get_bits(&s->gb, 4);
if (pr > 1) { if (pr > 1) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment