verify len field validity in mjpeg_decode_com()

Originally committed as revision 4451 to svn://svn.ffmpeg.org/ffmpeg/trunk

verify len field validity in mjpeg_decode_com()
Originally committed as revision 4451 to svn://svn.ffmpeg.org/ffmpeg/trunk
e3394372 · Michael Niedermayer · 1b51e051 · e3394372
Commit e3394372 authored Jul 17, 2005 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 3 deletions

mjpeg.c libavcodec/mjpeg.c +1 -3

No files found.
--- a/libavcodec/mjpeg.c
+++ b/libavcodec/mjpeg.c
@@ -1728,10 +1728,8 @@ out:

 static int mjpeg_decode_com(MJpegDecodeContext *s)
 {
-    /* XXX: verify len field validity */
    int len = get_bits(&s->gb, 16);
-    if (len >= 2 && len < 32768) {
-	/* XXX: any better upper bound */
+    if (len >= 2 && 8*len - 16 + get_bits_count(&s->gb) <= s->gb.size_in_bits) {
 	uint8_t *cbuf = av_malloc(len - 1);
 	if (cbuf) {
 	    int i;