From 8281cbbb9693b2cefbe27dbdac40a6a7765ef1f4 Mon Sep 17 00:00:00 2001
From: Michel Promonet <michel.promonet@free.fr>
Date: Wed, 27 Feb 2019 23:03:19 +0100
Subject: [PATCH] fix dqt parsing

---
 src/MJPEGVideoSource.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/MJPEGVideoSource.cpp b/src/MJPEGVideoSource.cpp
index 310eada..028be1e 100644
--- a/src/MJPEGVideoSource.cpp
+++ b/src/MJPEGVideoSource.cpp
@@ -45,7 +45,7 @@ void MJPEGVideoSource::afterGettingFrame(unsigned frameSize,unsigned numTruncate
 		i+=length+2;
 	    }
 	    // DQT
-	    else if ((fTo[i] == 0xFF) && (fTo[i+1] == 0xDB)) {
+	    else if (((i+5) < frameSize) && (fTo[i] == 0xFF) && (fTo[i+1] == 0xDB)) {
 		int length = (fTo[i+2]<<8)|(fTo[i+3]);		    
 		LOG(DEBUG) << "DQT length:" << length;
 
@@ -53,8 +53,8 @@ void MJPEGVideoSource::afterGettingFrame(unsigned frameSize,unsigned numTruncate
 		unsigned int quantIdx  = fTo[i+4]&0x0f;
 		unsigned int quantSize =  64*(precision+1);
 		if (quantSize*quantIdx+quantSize <= sizeof(m_qTable)) {
-		    if ( (i+5+length) < frameSize) {
-		    	memcpy(m_qTable + quantSize*quantIdx, fTo + i + 5, length);
+		    if ( (i+2+length) < frameSize) {
+		    	memcpy(m_qTable + quantSize*quantIdx, fTo + i + 5, length-3);
 		    	LOG(DEBUG) << "Quantization table idx:" << quantIdx << " precision:" << precision << " size:" << quantSize << " total size:" << m_qTableSize;
 		    	if (quantSize*quantIdx+quantSize > m_qTableSize) {
 				m_qTableSize = quantSize*quantIdx+quantSize;