mjpegdec: tighten unescaped_buf_size size check, prevent null ptr deref
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
abe68364a3
commit
a9456c7c5c
@ -1611,7 +1611,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
|
||||
/* EOF */
|
||||
if (start_code < 0) {
|
||||
goto the_end;
|
||||
} else if (unescaped_buf_size > (1U<<29)) {
|
||||
} else if (unescaped_buf_size > (1U<<28)) {
|
||||
av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n",
|
||||
start_code, unescaped_buf_size, buf_size);
|
||||
return AVERROR_INVALIDDATA;
|
||||
|
Loading…
Reference in New Issue
Block a user