jpeg2000: check len before parsing header

Avoid overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 8cc1094..e1da04d 100644 (file)
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1241,9 +1241,10 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)
         if (marker == JPEG2000_EOC)
             break;
 
-        if (bytestream2_get_bytes_left(&s->g) < 2)
-            return AVERROR_INVALIDDATA;
         len = bytestream2_get_be16u(&s->g);
+        if (len < 2 || bytestream2_get_bytes_left(&s->g) < len - 2)
+            return AVERROR_INVALIDDATA;
+
         switch (marker) {
         case JPEG2000_SIZ:
             ret = get_siz(s);