# HG changeset patch
# User michael
# Date 1121599620 0
# Node ID eb488002ab4a31b08fe2a27d4621c1f56ef9ad82
# Parent  217844bd1fa12c401999552662b29f5a34a9424a
verify len field validity in mjpeg_decode_com()

diff -r 217844bd1fa1 -r eb488002ab4a mjpeg.c
--- a/mjpeg.c	Sun Jul 17 09:22:51 2005 +0000
+++ b/mjpeg.c	Sun Jul 17 11:27:00 2005 +0000
@@ -1728,10 +1728,8 @@
 
 static int mjpeg_decode_com(MJpegDecodeContext *s)
 {
-    /* XXX: verify len field validity */
     int len = get_bits(&s->gb, 16);
-    if (len >= 2 && len < 32768) {
-	/* XXX: any better upper bound */
+    if (len >= 2 && 8*len - 16 + get_bits_count(&s->gb) <= s->gb.size_in_bits) {
 	uint8_t *cbuf = av_malloc(len - 1);
 	if (cbuf) {
 	    int i;