From: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Date: Sat, 31 Aug 2019 15:36:55 +0000 (+0100)
Subject: avcodec/jpeg2000dec: Check for duplicate SIZ marker
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u8+rpi1^2~46
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=f49bd04c4d124cbba690502d6c5b8d4429d4ac7b;p=libav.git

avcodec/jpeg2000dec: Check for duplicate SIZ marker

avcodec/jpeg2000dec: Check for duplicate SIZ marker

Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Gbp-Pq: Name CVE-2015-8363.patch
---

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index aed9b2b..24b1efe 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1265,6 +1265,7 @@ static void jpeg2000_dec_cleanup(Jpeg2000DecoderContext *s)
     }
     av_freep(&s->tile);
     s->numXtiles = s->numYtiles = 0;
+    s->ncomponents = 0;
 }
 
 static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)
@@ -1315,6 +1316,10 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)
 
         switch (marker) {
         case JPEG2000_SIZ:
+            if (s->ncomponents) {
+                av_log(s->avctx, AV_LOG_ERROR, "Duplicate SIZ\n");
+                return AVERROR_INVALIDDATA;
+            }
             ret = get_siz(s);
             break;
         case JPEG2000_COC: