jpegxl_anim_dec: avoid overrun with jxlp boxes in container

Anton Khirnov Thu, 08 Jun 2023 19:30:57 -0700

Quoting Leo Izen (2023-06-08 16:26:37)
> This should avoid overrunning buffers with jxlp boxes if the size is
> zero or if the size is so small the box is invalid.
> 
> Signed-off-by: Leo Izen <leo.i...@gmail.com>
> ---
>  libavformat/jpegxl_anim_dec.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c
> index 6ea6c46d8f..c9e4dcd5fc 100644
> --- a/libavformat/jpegxl_anim_dec.c
> +++ b/libavformat/jpegxl_anim_dec.c
> @@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t 
> *input_buffer, int inp
>          tag = AV_RL32(b);
>          b += 4;
>          if (tag == MKTAG('j', 'x', 'l', 'p')) {
> +            if (b - input_buffer >= input_len - 4)
> +                break;
>              b += 4;
> -            size -= 4;
> +            if (size) {
> +                if (size < 4)
> +                    return AVERROR_INVALIDDATA;
> +                size -= 4;
> +            }


This looks like it should be using bytestream2. Is there a good reason
it is not?

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container

Reply via email to