[FFmpeg-devel] [PATCH] jpegls: allocate large enough zero buffer

Andreas Cadhalpun Wed, 30 Dec 2015 12:12:23 -0800

It is read up to length s->width * stride, which can be larger than the
linesize. (stride = (s->nb_components > 1) ? 3 : 1)


This fixes an out of bounds read.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/jpeglsdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 68151cb..11ffe93 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -348,7 +348,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int 
near,
     JLSState *state;
     int off = 0, stride = 1, width, shift, ret = 0;
 
-    zero = av_mallocz(s->picture_ptr->linesize[0]);
+    zero = av_mallocz(FFMAX(s->picture_ptr->linesize[0], s->width * 
((s->nb_components > 1) ? 3 : 1)));
     if (!zero)
         return AVERROR(ENOMEM);
     last = zero;
-- 
2.6.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH] jpegls: allocate large enough zero buffer

Reply via email to