aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-03-01 19:56:57 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-03-01 19:57:55 +0100
commitdc945b1fa8ae65a18116d2ba362871aeebc573b0 (patch)
treea9adedcc126394ad1bdd68d1551aa76891117979
parent32f0c658283e2451add02a6ee5c719efa877a34c (diff)
downloadffmpeg-dc945b1fa8ae65a18116d2ba362871aeebc573b0.tar.gz
eatgq: Pass error code from tgq_decode_mb() and let the caller fail.
This fixes a over read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/eatgq.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c
index 9bf15f464a..1cce1da49e 100644
--- a/libavcodec/eatgq.c
+++ b/libavcodec/eatgq.c
@@ -141,7 +141,7 @@ static void tgq_idct_put_mb_dconly(TgqContext *s, int mb_x, int mb_y, const int8
}
}
-static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs, const uint8_t *buf_end){
+static int tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs, const uint8_t *buf_end){
int mode;
int i;
int8_t dc[6];
@@ -149,7 +149,7 @@ static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs,
mode = bytestream_get_byte(bs);
if (mode>buf_end-*bs) {
av_log(s->avctx, AV_LOG_ERROR, "truncated macroblock\n");
- return;
+ return AVERROR_INVALIDDATA;
}
if (mode>12) {
@@ -174,6 +174,8 @@ static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs,
tgq_idct_put_mb_dconly(s, mb_x, mb_y, dc);
}
*bs += mode;
+
+ return 0;
}
static void tgq_calculate_qtable(TgqContext *s, int quant){
@@ -196,7 +198,7 @@ static int tgq_decode_frame(AVCodecContext *avctx,
const uint8_t *buf_start = buf;
const uint8_t *buf_end = buf + buf_size;
TgqContext *s = avctx->priv_data;
- int x,y;
+ int x,y, ret;
int big_endian = AV_RL32(&buf[4]) > 0x000FFFFF;
buf += 8;
@@ -228,7 +230,8 @@ static int tgq_decode_frame(AVCodecContext *avctx,
for (y=0; y<(avctx->height+15)/16; y++)
for (x=0; x<(avctx->width+15)/16; x++)
- tgq_decode_mb(s, y, x, &buf, buf_end);
+ if ((ret=tgq_decode_mb(s, y, x, &buf, buf_end)) < 0)
+ return ret;
*data_size = sizeof(AVFrame);
*(AVFrame*)data = s->frame;