[FFmpeg-devel] [PATCH] jpegls: allocate large enough zero buffer

Wed Dec 30 21:12:05 CET 2015

It is read up to length s->width * stride, which can be larger than the
linesize. (stride = (s->nb_components > 1) ? 3 : 1)

This fixes an out of bounds read.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavcodec/jpeglsdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 68151cb..11ffe93 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -348,7 +348,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
     JLSState *state;
     int off = 0, stride = 1, width, shift, ret = 0;
 
-    zero = av_mallocz(s->picture_ptr->linesize[0]);
+    zero = av_mallocz(FFMAX(s->picture_ptr->linesize[0], s->width * ((s->nb_components > 1) ? 3 : 1)));
     if (!zero)
         return AVERROR(ENOMEM);
     last = zero;
-- 
2.6.4
