From e82b181f8096d20a163b054b8117838437d6b694 Mon Sep 17 00:00:00 2001
From: Carl Eugen Hoyos <cehoyos@ag.or.at>
Date: Sat, 3 Sep 2016 14:21:46 +0200
Subject: lavc/mjpegdec: Only read JFIF thumbnail size if the segment is long
 enough.

Fixes ticket #5805.
---
 libavcodec/mjpegdec.c | 5 ++++-
 libavcodec/version.h  | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 0645a1d..84d929a 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1690,6 +1690,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
                    s->avctx->sample_aspect_ratio.num,
                    s->avctx->sample_aspect_ratio.den);
 
+        len -= 8;
+        if (len >= 2) {
         t_w = get_bits(&s->gb, 8);
         t_h = get_bits(&s->gb, 8);
         if (t_w && t_h) {
@@ -1697,7 +1699,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
             if (len -10 - (t_w * t_h * 3) > 0)
                 len -= t_w * t_h * 3;
         }
-        len -= 10;
+        len -= 2;
+        }
         goto out;
     }
 
diff --git a/libavcodec/version.h b/libavcodec/version.h
index f7a7344..e83e3aa 100644
--- a/libavcodec/version.h
+++ b/libavcodec/version.h
@@ -29,7 +29,7 @@
 
 #define LIBAVCODEC_VERSION_MAJOR  57
 #define LIBAVCODEC_VERSION_MINOR  54
-#define LIBAVCODEC_VERSION_MICRO 101
+#define LIBAVCODEC_VERSION_MICRO 102
 
 #define LIBAVCODEC_VERSION_INT  AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \
                                                LIBAVCODEC_VERSION_MINOR, \
-- 
cgit v1.1