[FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container
Anton Khirnov
anton at khirnov.net
Fri Jun 9 05:30:34 EEST 2023
Quoting Leo Izen (2023-06-08 16:26:37)
> This should avoid overrunning buffers with jxlp boxes if the size is
> zero or if the size is so small the box is invalid.
>
> Signed-off-by: Leo Izen <leo.izen at gmail.com>
> ---
> libavformat/jpegxl_anim_dec.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c
> index 6ea6c46d8f..c9e4dcd5fc 100644
> --- a/libavformat/jpegxl_anim_dec.c
> +++ b/libavformat/jpegxl_anim_dec.c
> @@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int inp
> tag = AV_RL32(b);
> b += 4;
> if (tag == MKTAG('j', 'x', 'l', 'p')) {
> + if (b - input_buffer >= input_len - 4)
> + break;
> b += 4;
> - size -= 4;
> + if (size) {
> + if (size < 4)
> + return AVERROR_INVALIDDATA;
> + size -= 4;
> + }
This looks like it should be using bytestream2. Is there a good reason
it is not?
--
Anton Khirnov
More information about the ffmpeg-devel
mailing list