# HG changeset patch
# User kabi
# Date 1044873941 0
# Node ID 081b1f28c1ae1b1480a5ffa7435e29d3a2893150
# Parent  e67433f96ae3c9bc1ea92eb2bd5a679033312037
* check for potentialy problematic field len

diff -r e67433f96ae3 -r 081b1f28c1ae mjpeg.c
--- a/mjpeg.c	Mon Feb 10 09:41:44 2003 +0000
+++ b/mjpeg.c	Mon Feb 10 10:45:41 2003 +0000
@@ -1262,31 +1262,33 @@
 
 static int mjpeg_decode_com(MJpegDecodeContext *s)
 {
-    int i;
-    UINT8 *cbuf;
-
     /* XXX: verify len field validity */
-    unsigned int len = get_bits(&s->gb, 16)-2;
-    cbuf = av_malloc(len+1);
+    unsigned int len = get_bits(&s->gb, 16);
+    if (len >= 2 && len < 32768) {
+	/* XXX: any better upper bound */
+	UINT8 *cbuf = av_malloc(len - 1);
+	if (cbuf) {
+	    int i;
+	    for (i = 0; i < len - 2; i++)
+		cbuf[i] = get_bits(&s->gb, 8);
+	    if (i > 0 && cbuf[i-1] == '\n')
+		cbuf[i-1] = 0;
+	    else
+		cbuf[i] = 0;
 
-    for (i = 0; i < len; i++)
-	cbuf[i] = get_bits(&s->gb, 8);
-    if (cbuf[i-1] == '\n')
-	cbuf[i-1] = 0;
-    else
-	cbuf[i] = 0;
-
-    printf("mjpeg comment: '%s'\n", cbuf);
+	    printf("mjpeg comment: '%s'\n", cbuf);
 
-    /* buggy avid, it puts EOI only at every 10th frame */
-    if (!strcmp(cbuf, "AVID"))
-    {
-	s->buggy_avid = 1;
-//	if (s->first_picture)
-//	    printf("mjpeg: workarounding buggy AVID\n");
+	    /* buggy avid, it puts EOI only at every 10th frame */
+	    if (!strcmp(cbuf, "AVID"))
+	    {
+		s->buggy_avid = 1;
+		//	if (s->first_picture)
+		//	    printf("mjpeg: workarounding buggy AVID\n");
+	    }
+
+	    av_free(cbuf);
+	}
     }
-    
-    av_free(cbuf);
 
     return 0;
 }