Add a few size checks when decoding rtjpeg blocks.

Might avoid crashes in unlikely cases, but mostly avoids ugly artefacts
for partial frames.

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@18925 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

diff --git a/libavcodec/rtjpeg.c b/libavcodec/rtjpeg.c
index 2736807439d7003f8ca1fcc542737c53a1366ed9..ec31656a092c3b8e19d0e539916312ec44d87d2f 100644 (file)
--- a/libavcodec/rtjpeg.c
+++ b/libavcodec/rtjpeg.c
@@ -55,6 +55,9 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc
 
     // number of non-zero coefficients
     coeff = get_bits(gb, 6);
+    if (get_bits_count(gb) + (coeff << 1) >= gb->size_in_bits)
+        return 0;
+
     // normally we would only need to clear the (63 - coeff) last values,
     // but since we do not know where they are we just clear the whole block
     memset(block, 0, 64 * sizeof(DCTELEM));
@@ -69,6 +72,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc
 
     // 4 bits per coefficient
     ALIGN(4);
+    if (get_bits_count(gb) + (coeff << 2) >= gb->size_in_bits)
+        return 0;
     while (coeff) {
         ac = get_sbits(gb, 4);
         if (ac == -8)
@@ -78,6 +83,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc
 
     // 8 bits per coefficient
     ALIGN(8);
+    if (get_bits_count(gb) + (coeff << 3) >= gb->size_in_bits)
+        return 0;
     while (coeff) {
         ac = get_sbits(gb, 8);
         PUT_COEFF(ac);