From 4e6413c67d3f80d24db2caa9ce5f030225e67e2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 5 Nov 2011 22:26:42 +0100 Subject: [PATCH] rtjpeg: check get_block return value for error. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids crashes due to reading out-of-bounds. Signed-off-by: Reimar Döffinger --- libavcodec/rtjpeg.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/libavcodec/rtjpeg.c b/libavcodec/rtjpeg.c index 1827c9111b..07e4f02e67 100644 --- a/libavcodec/rtjpeg.c +++ b/libavcodec/rtjpeg.c @@ -114,24 +114,25 @@ int rtjpeg_decode_frame_yuv420(RTJpegContext *c, AVFrame *f, init_get_bits(&gb, buf, buf_size * 8); for (y = 0; y < h; y++) { for (x = 0; x < w; x++) { +#define BLOCK(quant, dst, stride) do { \ + int res = get_block(&gb, block, c->scan, quant); \ + if (res < 0) \ + return res; \ + if (res > 0) \ + c->dsp->idct_put(dst, stride, block); \ +} while (0) DCTELEM *block = c->block; - if (get_block(&gb, block, c->scan, c->lquant) > 0) - c->dsp->idct_put(y1, f->linesize[0], block); + BLOCK(c->lquant, y1, f->linesize[0]); y1 += 8; - if (get_block(&gb, block, c->scan, c->lquant) > 0) - c->dsp->idct_put(y1, f->linesize[0], block); + BLOCK(c->lquant, y1, f->linesize[0]); y1 += 8; - if (get_block(&gb, block, c->scan, c->lquant) > 0) - c->dsp->idct_put(y2, f->linesize[0], block); + BLOCK(c->lquant, y2, f->linesize[0]); y2 += 8; - if (get_block(&gb, block, c->scan, c->lquant) > 0) - c->dsp->idct_put(y2, f->linesize[0], block); + BLOCK(c->lquant, y2, f->linesize[0]); y2 += 8; - if (get_block(&gb, block, c->scan, c->cquant) > 0) - c->dsp->idct_put(u, f->linesize[1], block); + BLOCK(c->cquant, u, f->linesize[1]); u += 8; - if (get_block(&gb, block, c->scan, c->cquant) > 0) - c->dsp->idct_put(v, f->linesize[2], block); + BLOCK(c->cquant, v, f->linesize[2]); v += 8; } y1 += 2 * 8 * (f->linesize[0] - w);