RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/svq3: Reintroduce slice_type 

Fixes out of array read
Fixes: 1642cd3962249d6aaf0eec2836023fb6/signal_sigsegv_2557a72_2995_04efaf2ff57a052f609a3b4a2ea4e622.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2016-09-08 21:15:55 +02:00
parent c0fc83ed41
commit 2d3099ad8e
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/svq3.c
View File

@ -115,6 +115,7 @@ typedef struct SVQ3Context {
int prev_frame_num;
enum AVPictureType pict_type;
enum AVPictureType slice_type;
int low_delay;
int mb_x, mb_y;
@ -1070,7 +1071,7 @@ static int svq3_decode_slice_header(AVCodecContext *avctx)
return -1;
}
s->pict_type = ff_h264_golomb_to_pict_type[slice_id];
s->slice_type = ff_h264_golomb_to_pict_type[slice_id];
if ((header & 0x9F) == 2) {
i = (s->mb_num < 64) ? 6 : (1 + av_log2(s->mb_num - 1));
@ -1439,6 +1440,8 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data,
if (svq3_decode_slice_header(avctx))
return -1;
s->pict_type = s->slice_type;
if (s->pict_type != AV_PICTURE_TYPE_B)
FFSWAP(SVQ3Frame*, s->next_pic, s->last_pic);
@ -1552,6 +1555,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data,
if (svq3_decode_slice_header(avctx))
return -1;
}
if (s->slice_type != s->pict_type) {
avpriv_request_sample(avctx, "non constant slice type\n");
}
/* TODO: support s->mb_skip_run */
}