From: Peter Ross <pross@xvid.org>
Date: Sat, 12 Mar 2011 02:12:05 +0000 (+1100)
Subject: jv demuxer: prevent video packet size overflow
X-Git-Tag: n0.8~1229
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=435535e41159fbe7423a12078d684329a554776d;p=coroid%2Fffmpeg_saccubus.git

jv demuxer: prevent video packet size overflow

In the event of overflow, the JV_PADDING state will avio_skip over
any overflow bytes (using JVFrame.total_size).
---

diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 314a341ac..9235e51a9 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -116,6 +116,8 @@ static int read_header(AVFormatContext *s,
         jvf->audio_size = avio_rl32(pb);
         jvf->video_size = avio_rl32(pb);
         jvf->palette_size = avio_r8(pb) ? 768 : 0;
+        jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0),
+                                INT_MAX - JV_PREAMBLE_SIZE - jvf->palette_size);
         if (avio_r8(pb))
              av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
         jvf->video_type = avio_r8(pb);