changeset 1061:081b1f28c1ae libavcodec

* check for potentialy problematic field len
author kabi
date Mon, 10 Feb 2003 10:45:41 +0000
parents e67433f96ae3
children e4c1df460506
files mjpeg.c
diffstat 1 files changed, 23 insertions(+), 21 deletions(-) [+]
line wrap: on
line diff
--- a/mjpeg.c	Mon Feb 10 09:41:44 2003 +0000
+++ b/mjpeg.c	Mon Feb 10 10:45:41 2003 +0000
@@ -1262,31 +1262,33 @@
 
 static int mjpeg_decode_com(MJpegDecodeContext *s)
 {
-    int i;
-    UINT8 *cbuf;
-
     /* XXX: verify len field validity */
-    unsigned int len = get_bits(&s->gb, 16)-2;
-    cbuf = av_malloc(len+1);
+    unsigned int len = get_bits(&s->gb, 16);
+    if (len >= 2 && len < 32768) {
+	/* XXX: any better upper bound */
+	UINT8 *cbuf = av_malloc(len - 1);
+	if (cbuf) {
+	    int i;
+	    for (i = 0; i < len - 2; i++)
+		cbuf[i] = get_bits(&s->gb, 8);
+	    if (i > 0 && cbuf[i-1] == '\n')
+		cbuf[i-1] = 0;
+	    else
+		cbuf[i] = 0;
 
-    for (i = 0; i < len; i++)
-	cbuf[i] = get_bits(&s->gb, 8);
-    if (cbuf[i-1] == '\n')
-	cbuf[i-1] = 0;
-    else
-	cbuf[i] = 0;
-
-    printf("mjpeg comment: '%s'\n", cbuf);
+	    printf("mjpeg comment: '%s'\n", cbuf);
 
-    /* buggy avid, it puts EOI only at every 10th frame */
-    if (!strcmp(cbuf, "AVID"))
-    {
-	s->buggy_avid = 1;
-//	if (s->first_picture)
-//	    printf("mjpeg: workarounding buggy AVID\n");
+	    /* buggy avid, it puts EOI only at every 10th frame */
+	    if (!strcmp(cbuf, "AVID"))
+	    {
+		s->buggy_avid = 1;
+		//	if (s->first_picture)
+		//	    printf("mjpeg: workarounding buggy AVID\n");
+	    }
+
+	    av_free(cbuf);
+	}
     }
-    
-    av_free(cbuf);
 
     return 0;
 }