On 13 December 2013 13:05, Luca Barbato <lu_z...@gentoo.org> wrote:
> Still assume the size value is right in non-explode mode.
> ---
> libavformat/jvdec.c | 20 ++++++++++++++++++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
> index 9776b13..fd86ad4 100644
> --- a/libavformat/jvdec.c
> +++ b/libavformat/jvdec.c
> @@ -119,10 +119,22 @@ static int read_header(AVFormatContext *s)
> jvf->audio_size = avio_rl32(pb);
> jvf->video_size = avio_rl32(pb);
> jvf->palette_size = avio_r8(pb) ? 768 : 0;
> - jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0),
> - INT_MAX - JV_PREAMBLE_SIZE -
> jvf->palette_size);
> +
> + if (jvf->video_size < 0 ||
> + jvf->audio_size < 0 ||
> + e->size - jvf->audio_size
> + - jvf->video_size
> + - jvf->palette_size < 0) {
> + if (s->error_recognition & AV_EF_EXPLODE)
> + goto fail;
> + jvf->audio_size =
> + jvf->video_size =
> + jvf->palette_size = 0;
> + }
> +
> if (avio_r8(pb))
> av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
> +
> jvf->video_type = avio_r8(pb);
> avio_skip(pb, 1);
>
> @@ -134,6 +146,10 @@ static int read_header(AVFormatContext *s)
>
> jv->state = JV_AUDIO;
> return 0;
> +
> +fail:
> + av_free(jv->frames);
> + return AVERROR_INVALIDDATA;
> }
>
> static int read_packet(AVFormatContext *s, AVPacket *pkt)
> --
LGTM though I'd check (jvf->video_size | jvf->audio_size) & ~0xFFFFFF.
16 MB per frame should be enough for this codec.
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
