69 lines
2.4 KiB
Diff
69 lines
2.4 KiB
Diff
From 6043c431c97d55173f339fafbd033d3c0642e2e9 Mon Sep 17 00:00:00 2001
|
|
From: Michael Niedermayer <michaelni@gmx.at>
|
|
Date: Fri, 3 Oct 2014 01:50:27 +0200
|
|
Subject: [PATCH 2/2] avcodec/mjpegdec: check bits per pixel for changes
|
|
similar to dimensions
|
|
|
|
Upstream-Status: Backport
|
|
|
|
Fixes out of array accesses
|
|
Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi
|
|
|
|
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
|
|
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
Conflicts:
|
|
libavcodec/mjpegdec.c
|
|
---
|
|
libavcodec/mjpegdec.c | 15 ++++++++-------
|
|
1 file changed, 8 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/gst-libs/ext/libav/libavcodec/mjpegdec.c b/gst-libs/ext/libav/libavcodec/mjpegdec.c
|
|
index 84343c0..c0137d8 100644
|
|
--- a/gst-libs/ext/libav/libavcodec/mjpegdec.c
|
|
+++ b/gst-libs/ext/libav/libavcodec/mjpegdec.c
|
|
@@ -210,16 +210,16 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s)
|
|
|
|
int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
|
|
{
|
|
- int len, nb_components, i, width, height, pix_fmt_id;
|
|
+ int len, nb_components, i, bits, width, height, pix_fmt_id;
|
|
|
|
/* XXX: verify len field validity */
|
|
len = get_bits(&s->gb, 16);
|
|
- s->bits= get_bits(&s->gb, 8);
|
|
+ bits= get_bits(&s->gb, 8);
|
|
|
|
- if(s->pegasus_rct) s->bits=9;
|
|
- if(s->bits==9 && !s->pegasus_rct) s->rct=1; //FIXME ugly
|
|
+ if(s->pegasus_rct) bits=9;
|
|
+ if(bits==9 && !s->pegasus_rct) s->rct=1; //FIXME ugly
|
|
|
|
- if (s->bits != 8 && !s->lossless){
|
|
+ if (bits != 8 && !s->lossless){
|
|
av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n");
|
|
return -1;
|
|
}
|
|
@@ -239,7 +239,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
|
|
if (nb_components <= 0 ||
|
|
nb_components > MAX_COMPONENTS)
|
|
return -1;
|
|
- if (s->ls && !(s->bits <= 8 || nb_components == 1)){
|
|
+ if (s->ls && !(bits <= 8 || nb_components == 1)){
|
|
av_log(s->avctx, AV_LOG_ERROR, "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n");
|
|
return -1;
|
|
}
|
|
@@ -272,10 +272,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
|
|
|
|
/* if different size, realloc/alloc picture */
|
|
/* XXX: also check h_count and v_count */
|
|
- if (width != s->width || height != s->height) {
|
|
+ if (width != s->width || height != s->height || bits != s->bits) {
|
|
av_freep(&s->qscale_table);
|
|
|
|
s->width = width;
|
|
+ s->bits= bits;
|
|
s->height = height;
|
|
s->interlaced = 0;
|
|
|