On 06/21/2013 03:26 PM, Nicolas Bertrand wrote:
> From: Michael Niedermayer <[email protected]>
>
> This is likely remotely exploitable
> Fix ported from j2kdec
> No uptodate FFmpeg release should be affected by this
Questions: What is 32*3 ? Make a define that is at least a bit explanatory.
jpeg2000dec: make sure ${whatever n is} is within bounds
Prevent buffer overwrites.
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Signed-off-by: Michael Niedermayer <[email protected]>
Incidentally, what about using a more compact name for jpeg2000 such as
jpeg2k ?
> ---
> libavcodec/jpeg2000dec.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
> index 72b84e7..66d1aec 100644
> --- a/libavcodec/jpeg2000dec.c
> +++ b/libavcodec/jpeg2000dec.c
> @@ -353,7 +353,7 @@ static int get_qcx(Jpeg2000DecoderContext *s, int n,
> Jpeg2000QuantStyle *q)
>
> if (q->quantsty == JPEG2000_QSTY_NONE) {
> n -= 3;
> - if (s->buf_end - s->buf < n)
> + if (s->buf_end - s->buf < n || 32*3 < n)
> return AVERROR(EINVAL);
> for (i = 0; i < n; i++)
> q->expn[i] = bytestream_get_byte(&s->buf) >> 3;
> @@ -370,7 +370,7 @@ static int get_qcx(Jpeg2000DecoderContext *s, int n,
> Jpeg2000QuantStyle *q)
> }
> } else {
> n = (n - 3) >> 1;
> - if (s->buf_end - s->buf < n)
> + if (s->buf_end - s->buf < 2 * n || 32*3 < n)
> return AVERROR(EINVAL);
> for (i = 0; i < n; i++) {
> x = bytestream_get_be16(&s->buf);
>
Same cleanup as the previous needed.
lu
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
