1 files changed, 31 insertions, 15 deletions

diff --git a/ffmpeg/libavformat/jvdec.c b/ffmpeg/libavformat/jvdec.c
index e941492..03ac43d 100644
--- a/ffmpeg/libavformat/jvdec.c
+++ b/ffmpeg/libavformat/jvdec.c
@@ -33,10 +33,10 @@
 #define JV_PREAMBLE_SIZE 5
 
 typedef struct {
-    int audio_size;    /** audio packet size (bytes) */
-    int video_size;    /** video packet size (bytes) */
-    int palette_size;  /** palette size (bytes) */
-    int video_type;    /** per-frame video compression type */
+    int audio_size;    /**< audio packet size (bytes) */
+    int video_size;    /**< video packet size (bytes) */
+    int palette_size;  /**< palette size (bytes) */
+    int video_type;    /**< per-frame video compression type */
 } JVFrame;
 
 typedef struct {
@@ -59,6 +59,15 @@ static int read_probe(AVProbeData *pd)
     return 0;
 }
 
+static int read_close(AVFormatContext *s)
+{
+    JVDemuxContext *jv = s->priv_data;
+
+    av_freep(&jv->frames);
+
+    return 0;
+}
+
 static int read_header(AVFormatContext *s)
 {
     JVDemuxContext *jv = s->priv_data;
@@ -119,10 +128,23 @@ static int read_header(AVFormatContext *s)
         jvf->audio_size = avio_rl32(pb);
         jvf->video_size = avio_rl32(pb);
         jvf->palette_size = avio_r8(pb) ? 768 : 0;
-        jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0),
-                                INT_MAX - JV_PREAMBLE_SIZE - jvf->palette_size);
+
+        if ((jvf->video_size | jvf->audio_size) & ~0xFFFFFF ||
+            e->size - jvf->audio_size
+                    - jvf->video_size
+                    - jvf->palette_size < 0) {
+            if (s->error_recognition & AV_EF_EXPLODE) {
+                read_close(s);
+                return AVERROR_INVALIDDATA;
+            }
+            jvf->audio_size =
+            jvf->video_size =
+            jvf->palette_size = 0;
+        }
+
         if (avio_r8(pb))
              av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
+
         jvf->video_type = avio_r8(pb);
         avio_skip(pb, 1);
 
@@ -184,6 +206,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         }
     }
 
+    if (s->pb->eof_reached)
+        return AVERROR_EOF;
+
     return AVERROR(EIO);
 }
 
@@ -218,15 +243,6 @@ static int read_seek(AVFormatContext *s, int stream_index,
     return 0;
 }
 
-static int read_close(AVFormatContext *s)
-{
-    JVDemuxContext *jv = s->priv_data;
-
-    av_freep(&jv->frames);
-
-    return 0;
-}
-
 AVInputFormat ff_jv_demuxer = {
     .name           = "jv",
     .long_name      = NULL_IF_CONFIG_SMALL("Bitmap Brothers JV"),