From 0db1f2c2c78db18999fccd46a156408e5e87c8a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Oct 2014 00:25:47 +0200 Subject: [PATCH] avcodec/mjpegdec: sanity check bits Fixes undefined shift Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 89666729ca..271c05e40f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -256,6 +256,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) s->avctx->bits_per_raw_sample = bits = get_bits(&s->gb, 8); + if (bits > 16 || bits < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bits %d is invalid\n", bits); + return AVERROR_INVALIDDATA; + } + if (s->pegasus_rct) bits = 9; if (bits == 9 && !s->pegasus_rct)