From 44d4eaab7c61aed00c3e000594b7c3f467ac591e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Laheurte?= <jlaheurte@quividi.net>
Date: Thu, 10 Sep 2020 11:24:32 +0200
Subject: [PATCH] jpegdec: check buffer size before dereferencing. Fixes #541

Some cameras (Panacast) have buggy drivers/firmware which send
invalid JPEG frames, containing no data, which makes jpegdec
crash because it assumes the frame is at least 2 bytes long.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/723>
---
 ext/jpeg/gstjpegdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ext/jpeg/gstjpegdec.c b/ext/jpeg/gstjpegdec.c
index 0962fe8cf8..c4bb732a9c 100644
--- a/ext/jpeg/gstjpegdec.c
+++ b/ext/jpeg/gstjpegdec.c
@@ -1215,6 +1215,8 @@ gst_jpeg_dec_handle_frame (GstVideoDecoder * bdec, GstVideoCodecFrame * frame)
 
   data = dec->current_frame_map.data;
   nbytes = dec->current_frame_map.size;
+  if (nbytes < 2)
+    goto need_more_data;
   has_eoi = ((data[nbytes - 2] == 0xff) && (data[nbytes - 1] == 0xd9));
 
   /* some cameras fail to send an end-of-image marker (EOI),