aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2015-02-11 03:33:53 +0100
committerMichael Niedermayer <michaelni@gmx.at>2015-02-13 20:48:08 +0100
commit492818d724d910d3b5933c5f762b5151f764bbea (patch)
tree29c9a917b4617135037f17e1e16d5b0890280e99
parentca98c016cd44d1eef61c02f46f40ef5674d3cc31 (diff)
downloadffmpeg-492818d724d910d3b5933c5f762b5151f764bbea.tar.gz
avcodec/mjpegdec: Skip blocks which are outside the visible area
Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash.avi Found-by: Thomas Lindroth <thomas.lindroth@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/mjpegdec.c23
1 files changed, 15 insertions, 8 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index a7479ae7e1..04018741f4 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1226,13 +1226,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
- ptr = data[c] + block_offset;
+ if ( 8*(h * mb_x + x) < s->width
+ && 8*(v * mb_y + y) < s->height) {
+ ptr = data[c] + block_offset;
+ } else
+ ptr = NULL;
if (!s->progressive) {
- if (copy_mb)
- mjpeg_copy_block(s, ptr, reference_data[c] + block_offset,
- linesize[c], s->avctx->lowres);
+ if (copy_mb) {
+ if (ptr)
+ mjpeg_copy_block(s, ptr, reference_data[c] + block_offset,
+ linesize[c], s->avctx->lowres);
- else {
+ } else {
s->bdsp.clear_block(s->block);
if (decode_block(s, s->block, i,
s->dc_index[i], s->ac_index[i],
@@ -1241,9 +1246,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
"error y=%d x=%d\n", mb_y, mb_x);
return AVERROR_INVALIDDATA;
}
- s->idsp.idct_put(ptr, linesize[c], s->block);
- if (s->bits & 7)
- shift_output(s, ptr, linesize[c]);
+ if (ptr) {
+ s->idsp.idct_put(ptr, linesize[c], s->block);
+ if (s->bits & 7)
+ shift_output(s, ptr, linesize[c]);
+ }
}
} else {
int block_idx = s->block_stride[c] * (v * mb_y + y) +