On 05/17/2013 01:30 PM, Kostya Shishkov wrote: > On Fri, May 17, 2013 at 01:27:00PM +0200, Luca Barbato wrote: >> Prevent an out of array bound write. >> >> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind >> CC: [email protected] >> --- >> libavcodec/jpeglsdec.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c >> index 9d946fa..4fe1f18 100644 >> --- a/libavcodec/jpeglsdec.c >> +++ b/libavcodec/jpeglsdec.c >> @@ -306,6 +306,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int >> near, >> av_dlog(s->avctx, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", >> ilv, point_transform, s->bits, s->cur_scan); >> if (ilv == 0) { /* separate planes */ >> + if (s->cur_scan > COMPONENTS) { >> + ret = AVERROR_INVALIDDATA; >> + goto end; >> + } >> off = s->cur_scan - 1; >> stride = (s->nb_components > 1) ? COMPONENTS : 1; >> width = s->width * stride; >> -- > > Looks wrong - shouldn't it be checked against s->nb_components instead? > We support grayscale JPEG-LS after all.
You are right, better being stricter. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
