From c9220d5b06536ac359166214b4131a1f15244617 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Jul 2015 18:53:17 +0200 Subject: [PATCH] avcodec/mjpegdec: Reorder operations to avoid undefined behavior Fixes: asan_heap-oob_1dd60fd_267_cov_2954683513_5baad44ca4702949724234e35c5bb341.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 8bf950db6a..f85eabfe4d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -719,7 +719,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block, av_log(s->avctx, AV_LOG_ERROR, "error dc\n"); return AVERROR_INVALIDDATA; } - val = (val * quant_matrix[0] << Al) + s->last_dc[component]; + val = (val * (quant_matrix[0] << Al)) + s->last_dc[component]; s->last_dc[component] = val; block[0] = val; return 0; @@ -762,14 +762,14 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block, if (i >= se) { if (i == se) { j = s->scantable.permutated[se]; - block[j] = level * quant_matrix[j] << Al; + block[j] = level * (quant_matrix[j] << Al); break; } av_log(s->avctx, AV_LOG_ERROR, "error count: %d\n", i); return AVERROR_INVALIDDATA; } j = s->scantable.permutated[i]; - block[j] = level * quant_matrix[j] << Al; + block[j] = level * (quant_matrix[j] << Al); } else { if (run == 0xF) {// ZRL - skip 15 coefficients i += 15; @@ -848,7 +848,7 @@ static int decode_block_refinement(MJpegDecodeContext *s, int16_t *block, ZERO_RUN; j = s->scantable.permutated[i]; val--; - block[j] = ((quant_matrix[j]^val) - val) << Al; + block[j] = ((quant_matrix[j] << Al) ^ val) - val; if (i == se) { if (i > *last_nnz) *last_nnz = i;