RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-02 18:48:27 +00:00
Code Issues Projects Releases Wiki Activity

avcodec/mjpegdec: Skip blocks which are outside the visible area

Browse Source 
Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash.avi

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08509c8f86)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2015-02-11 03:33:53 +01:00
parent 0cbf53bdf5
commit 345962121d
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
libavcodec/mjpegdec.c
View File

@ -1251,13 +1251,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
if (s->interlaced && s->bottom_field) if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1; block_offset += linesize[c] >> 1;
ptr = data[c] + block_offset; if ( 8*(h * mb_x + x) < s->width
&& 8*(v * mb_y + y) < s->height) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
if (!s->progressive) { if (!s->progressive) {
if (copy_mb) if (copy_mb) {
mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, if (ptr)
linesize[c], s->avctx->lowres); mjpeg_copy_block(s, ptr, reference_data[c] + block_offset,
linesize[c], s->avctx->lowres);
else { } else {
s->bdsp.clear_block(s->block); s->bdsp.clear_block(s->block);
if (decode_block(s, s->block, i, if (decode_block(s, s->block, i,
s->dc_index[i], s->ac_index[i], s->dc_index[i], s->ac_index[i],
@ -1266,9 +1271,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
"error y=%d x=%d\n", mb_y, mb_x); "error y=%d x=%d\n", mb_y, mb_x);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
s->idsp.idct_put(ptr, linesize[c], s->block); if (ptr) {
if (s->bits & 7) s->idsp.idct_put(ptr, linesize[c], s->block);
shift_output(s, ptr, linesize[c]); if (s->bits & 7)
shift_output(s, ptr, linesize[c]);
}
} }
} else { } else {
int block_idx = s->block_stride[c] * (v * mb_y + y) + int block_idx = s->block_stride[c] * (v * mb_y + y) +