jpegdec: check buffer size before dereferencing. Fixes #541

Some cameras (Panacast) have buggy drivers/firmware which send invalid JPEG frames, containing no data, which makes jpegdec crash because it assumes the frame is at least 2 bytes long. Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/760>
author: Jérôme Laheurte <jlaheurte@quividi.net> 2020-09-10 11:24:32 +0200
committer: Tim-Philipp Müller <tim@centricular.com> 2020-10-02 01:03:15 +0100
commit: de330527cb56965bef5d93c11c031fdf880cb3d1 (patch)
tree: 911f3f3dd4aa8453aba3cf9d34d136e4c17a8fd2
parent: 428c9b60532917c0ac49c9d48b15bdcd00a1370b (diff)
download: gstreamer-plugins-good-de330527cb56965bef5d93c11c031fdf880cb3d1.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/ext/jpeg/gstjpegdec.c b/ext/jpeg/gstjpegdec.c
index 0962fe8cf..c4bb732a9 100644
--- a/ext/jpeg/gstjpegdec.c
+++ b/ext/jpeg/gstjpegdec.c
@@ -1215,6 +1215,8 @@ gst_jpeg_dec_handle_frame (GstVideoDecoder * bdec, GstVideoCodecFrame * frame)
 
   data = dec->current_frame_map.data;
   nbytes = dec->current_frame_map.size;
+  if (nbytes < 2)
+    goto need_more_data;
   has_eoi = ((data[nbytes - 2] == 0xff) && (data[nbytes - 1] == 0xd9));
 
   /* some cameras fail to send an end-of-image marker (EOI),
author	Jérôme Laheurte <jlaheurte@quividi.net>	2020-09-10 11:24:32 +0200
committer	Tim-Philipp Müller <tim@centricular.com>	2020-10-02 01:03:15 +0100
commit	de330527cb56965bef5d93c11c031fdf880cb3d1 (patch)
tree	911f3f3dd4aa8453aba3cf9d34d136e4c17a8fd2
parent	428c9b60532917c0ac49c9d48b15bdcd00a1370b (diff)
download	gstreamer-plugins-good-de330527cb56965bef5d93c11c031fdf880cb3d1.tar.gz