From: Michael Niedermayer <michaelni@gmx.at>
Date: Wed, 4 Feb 2015 19:48:30 +0000 (+0100)
Subject: avcodec/mjpegdec: Check number of components for JPEG-LS
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u6+rpi1^2~5
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=5dce63750ee7be3e115b6f4d85bfd8dbcaf9d543;p=libav.git

avcodec/mjpegdec: Check number of components for JPEG-LS

Fixes out of array accesses
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Gbp-Pq: Name CVE-2015-1872.patch
---

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 7aedd2a..3f3f81a 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -375,8 +375,12 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
         return AVERROR_PATCHWELCOME;
     }
     if (s->ls) {
-        if (s->nb_components > 1)
+        if (s->nb_components == 3) {
             s->avctx->pix_fmt = AV_PIX_FMT_RGB24;
+        } else if (s->nb_components != 1) {
+            av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components);
+            return AVERROR_PATCHWELCOME;
+        }
         else if (s->bits <= 8)
             s->avctx->pix_fmt = AV_PIX_FMT_GRAY8;
         else