Still assume the size value is right in non-explode mode.
---
libavformat/jvdec.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 9776b13..fd86ad4 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -119,10 +119,22 @@ static int read_header(AVFormatContext *s)
jvf->audio_size = avio_rl32(pb);
jvf->video_size = avio_rl32(pb);
jvf->palette_size = avio_r8(pb) ? 768 : 0;
- jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0),
- INT_MAX - JV_PREAMBLE_SIZE -
jvf->palette_size);
+
+ if (jvf->video_size < 0 ||
+ jvf->audio_size < 0 ||
+ e->size - jvf->audio_size
+ - jvf->video_size
+ - jvf->palette_size < 0) {
+ if (s->error_recognition & AV_EF_EXPLODE)
+ goto fail;
+ jvf->audio_size =
+ jvf->video_size =
+ jvf->palette_size = 0;
+ }
+
if (avio_r8(pb))
av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
+
jvf->video_type = avio_r8(pb);
avio_skip(pb, 1);
@@ -134,6 +146,10 @@ static int read_header(AVFormatContext *s)
jv->state = JV_AUDIO;
return 0;
+
+fail:
+ av_free(jv->frames);
+ return AVERROR_INVALIDDATA;
}
static int read_packet(AVFormatContext *s, AVPacket *pkt)
--
1.8.5.1
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
