On 06/21/2013 03:26 PM, Nicolas Bertrand wrote: > From: Michael Niedermayer <[email protected]>
jpeg2000dec: validate the current tile number > > Fixes out of array accesses > Code ported from j2kdec j2kdec doesn't exist here. > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > Signed-off-by: Michael Niedermayer <[email protected]> > --- > libavcodec/jpeg2000dec.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c > index b1633e3..038ab4f 100644 > --- a/libavcodec/jpeg2000dec.c > +++ b/libavcodec/jpeg2000dec.c > @@ -416,7 +416,11 @@ static int get_sot(Jpeg2000DecoderContext *s, int n) > if (bytestream2_get_bytes_left(&s->g) < 8) > return AVERROR(EINVAL); > > - Isot = bytestream2_get_be16u(&s->g); // Isot > + s->curtileno = Isot = bytestream2_get_be16u(&s->g); // Isot > + if((unsigned)s->curtileno >= s->numXtiles * s->numYtiles){ why curtileno is signed? A negative value has any mean? > + s->curtileno=0; > + return AVERROR(EINVAL); INVALIDDATA > + } > if (Isot) { > av_log(s->avctx, AV_LOG_ERROR, > "Not a DCINEMA JP2K file: more than one tile\n"); Do we error out in that case? lu _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
