avcodec/jpeg2000dec: Check cdx/y values more carefully

Some invalid values where not handled correctly in the later pixel format matching code. Fixes out of array accesses Fixes Ticket2848 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
FFmpeg · Aug 22, 2013 · 8bb11c3 · 8bb11c3
1 parent c443689
commit 8bb11c3
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
@@ -273,7 +273,8 @@ static int get_siz(Jpeg2000DecoderContext *s)
         s->sgnd[i]   = !!(x & 0x80);
         s->cdx[i]    = bytestream2_get_byteu(&s->g);
         s->cdy[i]    = bytestream2_get_byteu(&s->g);
-        if (!s->cdx[i] || !s->cdy[i]) {
+        if (   !s->cdx[i] || s->cdx[i] == 3 || s->cdx[i] > 4
+            || !s->cdy[i] || s->cdy[i] == 3 || s->cdy[i] > 4) {
             av_log(s->avctx, AV_LOG_ERROR, "Invalid sample seperation\n");
             return AVERROR_INVALIDDATA;
         }