On 6/8/23 22:30, Anton Khirnov wrote:
Quoting Leo Izen (2023-06-08 16:26:37)
This should avoid overrunning buffers with jxlp boxes if the size is
zero or if the size is so small the box is invalid.
Signed-off-by: Leo Izen <leo.i...@gmail.com>
---
libavformat/jpegxl_anim_dec.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c
index 6ea6c46d8f..c9e4dcd5fc 100644
--- a/libavformat/jpegxl_anim_dec.c
+++ b/libavformat/jpegxl_anim_dec.c
@@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t
*input_buffer, int inp
tag = AV_RL32(b);
b += 4;
if (tag == MKTAG('j', 'x', 'l', 'p')) {
+ if (b - input_buffer >= input_len - 4)
+ break;
b += 4;
- size -= 4;
+ if (size) {
+ if (size < 4)
+ return AVERROR_INVALIDDATA;
+ size -= 4;
+ }
This looks like it should be using bytestream2. Is there a good reason
it is not?
No particular reason, I'll send an updated patch using it.
Also, I pushed the first three patches that michaelni authored, but not
the 4th or this one.
- Leo Izen
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
