Hi!
The atom2_size variable when reading the inner atoms of a jp2 header
is not reduced after reading the first 64 bit of the atom, the
variable is used later for several checks to avoid overreads.
Please comment, Carl Eugen
From 8519c62b141953ecbd47f4eb9572a54db29bfec3 Mon Sep 17 00:00:00 2001
From: Carl Eugen Hoyos <ceho...@ag.or.at>
Date: Tue, 2 May 2017 16:09:11 +0200
Subject: [PATCH] lavc/jpeg2000dec: Fix jp2 inner atom size used for overread
checks.
---
libavcodec/jpeg2000dec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index e9f5f51..ab814ca 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1982,6 +1982,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
atom2_end = bytestream2_tell(&s->g) + atom2_size - 8;
if (atom2_size < 8 || atom2_end > atom_end || atom2_end <
atom2_size)
break;
+ atom2_size -= 8;
if (atom2 == JP2_CODESTREAM) {
return 1;
} else if (atom2 == MKBETAG('c','o','l','r') && atom2_size >=
7) {
--
1.7.10.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
