diff options
author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2009-05-24 09:03:45 +0000 |
---|---|---|
committer | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2009-05-24 09:03:45 +0000 |
commit | 8d857c543402911f46ad38b093ab9aaf5b9a9a18 (patch) | |
tree | b3cc1f490c398d2baeceef00b9542b8d31a1da1b | |
parent | 0766291a669281f556d7a0b32e8a920650dd93db (diff) | |
download | ffmpeg-8d857c543402911f46ad38b093ab9aaf5b9a9a18.tar.gz |
Add a few size checks when decoding rtjpeg blocks.
Might avoid crashes in unlikely cases, but mostly avoids ugly artefacts
for partial frames.
Originally committed as revision 18925 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavcodec/rtjpeg.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/rtjpeg.c b/libavcodec/rtjpeg.c index 2736807439..ec31656a09 100644 --- a/libavcodec/rtjpeg.c +++ b/libavcodec/rtjpeg.c @@ -55,6 +55,9 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc // number of non-zero coefficients coeff = get_bits(gb, 6); + if (get_bits_count(gb) + (coeff << 1) >= gb->size_in_bits) + return 0; + // normally we would only need to clear the (63 - coeff) last values, // but since we do not know where they are we just clear the whole block memset(block, 0, 64 * sizeof(DCTELEM)); @@ -69,6 +72,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc // 4 bits per coefficient ALIGN(4); + if (get_bits_count(gb) + (coeff << 2) >= gb->size_in_bits) + return 0; while (coeff) { ac = get_sbits(gb, 4); if (ac == -8) @@ -78,6 +83,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc // 8 bits per coefficient ALIGN(8); + if (get_bits_count(gb) + (coeff << 3) >= gb->size_in_bits) + return 0; while (coeff) { ac = get_sbits(gb, 8); PUT_COEFF(ac); |