diff options
author | Anton Khirnov <anton@khirnov.net> | 2016-12-17 17:04:55 +0100 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2016-12-19 08:15:49 +0100 |
commit | c2fa6bb0e8703a7a6aa10e11f9ab36094416d83f (patch) | |
tree | 8ab6b3c269c171a379bc2c5e2e819d69fc0e4a6b | |
parent | e807491fc6a336e4becc0cbc981274a8fde18aba (diff) | |
download | ffmpeg-c2fa6bb0e8703a7a6aa10e11f9ab36094416d83f.tar.gz |
mpeg12dec: move setting first_field to mpeg_field_start()
For field picture, the first_field is set based on its previous value.
Before this commit, first_field is set when reading the picture
coding extension. However, in corrupted files there may be multiple
picture coding extension headers, so the final value of first_field that
is actually used during decoding can be wrong. That can lead to various
undefined behaviour, like predicting from a non-existing field.
Fix this problem, by setting first_field in mpeg_field_start(), which
should be called exactly once per field.
CC: libav-stable@libav.org
Bug-ID: 999
-rw-r--r-- | libavcodec/mpeg12dec.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 310169becc..afdd652b6a 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1536,10 +1536,8 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) av_log(s->avctx, AV_LOG_WARNING, "invalid frame_pred_frame_dct\n"); if (s->picture_structure == PICT_FRAME) { - s->first_field = 0; s->v_edge_pos = 16 * s->mb_height; } else { - s->first_field ^= 1; s->v_edge_pos = 8 * s->mb_height; memset(s->mbskip_table, 0, s->mb_stride * s->mb_height); } @@ -1570,6 +1568,11 @@ static int mpeg_field_start(MpegEncContext *s, const uint8_t *buf, int buf_size) Mpeg1Context *s1 = (Mpeg1Context *) s; int ret; + if (s->picture_structure == PICT_FRAME) + s->first_field = 0; + else + s->first_field ^= 1; + /* start frame decoding */ if (s->first_field || s->picture_structure == PICT_FRAME) { AVFrameSideData *pan_scan; |