From e33943728e775ef9f3239fe950f3be4fa405d1f2 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 17 Jul 2005 11:27:00 +0000
Subject: [PATCH] verify len field validity in mjpeg_decode_com()

Originally committed as revision 4451 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/mjpeg.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/libavcodec/mjpeg.c b/libavcodec/mjpeg.c
index 58b5b9782..bfce40c4a 100644
--- a/libavcodec/mjpeg.c
+++ b/libavcodec/mjpeg.c
@@ -1728,10 +1728,8 @@ out:
 
 static int mjpeg_decode_com(MJpegDecodeContext *s)
 {
-    /* XXX: verify len field validity */
     int len = get_bits(&s->gb, 16);
-    if (len >= 2 && len < 32768) {
-	/* XXX: any better upper bound */
+    if (len >= 2 && 8*len - 16 + get_bits_count(&s->gb) <= s->gb.size_in_bits) {
 	uint8_t *cbuf = av_malloc(len - 1);
 	if (cbuf) {
 	    int i;
-- 
2.34.1