verify len field validity in mjpeg_decode_com()

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@4451 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

verify len field validity in mjpeg_decode_com()
git-svn-id: file:///var/local/repositories/ffmpeg/trunk@4451 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
6d1073ee · michael · 87c00419 · 6d1073ee
Commit 6d1073ee authored Jul 17, 2005 by michael
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 3 deletions

libavcodec/mjpeg.c libavcodec/mjpeg.c +1 -3

No files found.
--- a/libavcodec/mjpeg.c
+++ b/libavcodec/mjpeg.c
@@ -1728,10 +1728,8 @@ out:

 static int mjpeg_decode_com(MJpegDecodeContext *s)
 {
-    /* XXX: verify len field validity */
    int len = get_bits(&s->gb, 16);
-    if (len >= 2 && len < 32768) {
-	/* XXX: any better upper bound */
+    if (len >= 2 && 8*len - 16 + get_bits_count(&s->gb) <= s->gb.size_in_bits) {
 	uint8_t *cbuf = av_malloc(len - 1);
 	if (cbuf) {
 	    int i;