jpegls: check the scan offset

Prevent an out of array bound write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
author: Luca Barbato <lu_zero@gentoo.org> 2013-05-17 13:08:55 +0200
committer: Luca Barbato <lu_zero@gentoo.org> 2013-05-17 16:44:13 +0200
commit: abad374909e6416e941351094f4f1446a71f8d23 (patch)
tree: 7a59ce272b7c53bae7a1dcbd893b7c421d1da860 /libavcodec/jpeglsdec.c
parent: 4a4107b48944397c914aa39ee16a82fe44db8c4c (diff)
download: ffmpeg-abad374909e6416e941351094f4f1446a71f8d23.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 3616063bf1..df72ca338f 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -306,6 +306,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
     av_dlog(s->avctx, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n",
             ilv, point_transform, s->bits, s->cur_scan);
     if (ilv == 0) { /* separate planes */
+        if (s->cur_scan > s->nb_components) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
         off    = s->cur_scan - 1;
         stride = (s->nb_components > 1) ? 3 : 1;
         width  = s->width * stride;
author	Luca Barbato <lu_zero@gentoo.org>	2013-05-17 13:08:55 +0200
committer	Luca Barbato <lu_zero@gentoo.org>	2013-05-17 16:44:13 +0200
commit	abad374909e6416e941351094f4f1446a71f8d23 (patch)
tree	7a59ce272b7c53bae7a1dcbd893b7c421d1da860 /libavcodec/jpeglsdec.c
parent	4a4107b48944397c914aa39ee16a82fe44db8c4c (diff)
download	ffmpeg-abad374909e6416e941351094f4f1446a71f8d23.tar.gz