On Tuesday 12 January 2016 02:28:28 pm Michael Niedermayer wrote: > On Tue, Jan 12, 2016 at 02:19:53PM +0100, Carl Eugen Hoyos wrote: > > On Tuesday 12 January 2016 02:16:52 pm Michael Niedermayer wrote: > > > On Tue, Jan 12, 2016 at 09:58:53AM +0100, Carl Eugen Hoyos wrote: > > > > - if (memcmp("AVI1", buf + 6, 4)) { > > > > - av_log(avctx, AV_LOG_ERROR, "input is not MJPEG/AVI1\n"); > > > > - return AVERROR_INVALIDDATA; > > > > + if (buf[2] == 0xff && buf[3] == APP0) { > > > > + input_skip = (buf[4] << 8) + buf[5] + 4; > > > > + } else { > > > > + input_skip = 2; > > > > > > shouldnt the first 2 bytes that are being skiped be checked ? > > > > I don't know (possibly) but it seems unrelated to this patch: > > They are not checked now. > > true > > still before the patch 4 bytes are checked, afterwards none > these 4 bytes sort of imply that the previous bytes arent arbitrary > > if the 2 bytes are different from what is expected then the code > would potentially generate invalid output, or do i miss some check > elsewhere that would prevent that ?
New patch attached. Please comment, Carl Eugen
diff --git a/libavcodec/mjpeg2jpeg_bsf.c b/libavcodec/mjpeg2jpeg_bsf.c index 68640db..71f0154 100644 --- a/libavcodec/mjpeg2jpeg_bsf.c +++ b/libavcodec/mjpeg2jpeg_bsf.c @@ -28,6 +28,7 @@ #include "libavutil/error.h" #include "libavutil/mem.h" +#include "libavutil/intreadwrite.h" #include "avcodec.h" #include "jpegtables.h" @@ -88,6 +89,10 @@ static int mjpeg2jpeg_filter(AVBitStreamFilterContext *bsfc, av_log(avctx, AV_LOG_ERROR, "input is truncated\n"); return AVERROR_INVALIDDATA; } + if (AV_RB16(buf) != 0xffd8) { + av_log(avctx, AV_LOG_ERROR, "input is not MJPEG\n"); + return AVERROR_INVALIDDATA; + } if (memcmp("AVI1", buf + 6, 4)) { av_log(avctx, AV_LOG_ERROR, "input is not MJPEG/AVI1\n"); return AVERROR_INVALIDDATA;
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel