diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2015-02-11 03:33:53 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2015-03-12 00:47:05 +0100 |
| commit | 2b8c9c1f7de835d50937a8bf2ae90a61929b3bdd (patch) | |
| tree | e7aed5b468b573d431f126a5725c9237abff300c | |
| parent | 3eb6eeaab0cd42886abbae76c90d005ac82ec9ba (diff) | |
| download | ffmpeg-2b8c9c1f7de835d50937a8bf2ae90a61929b3bdd.tar.gz | |
avcodec/mjpegdec: Skip blocks which are outside the visible area
Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash.avi
Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf)
Conflicts:
libavcodec/mjpegdec.c
(cherry picked from commit 5553947db2af443778f781a107d9fe9ad6ec5d17)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/mjpegdec.c | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a0dcbc76e5..9323d53db6 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -859,19 +859,28 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i if(s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - ptr = data[c] + block_offset; - if(!s->progressive) { + if ( 8*(h * mb_x + x) < s->width + && 8*(v * mb_y + y) < s->height) { + ptr = data[c] + block_offset; + } else + ptr = NULL; + if (!s->progressive) { if (copy_mb) { - mjpeg_copy_block(ptr, reference_data[c] + block_offset, linesize[c], s->avctx->lowres); + if (ptr) + mjpeg_copy_block(ptr, reference_data[c] + block_offset, + linesize[c], s->avctx->lowres); } else { - s->dsp.clear_block(s->block); - if(decode_block(s, s->block, i, - s->dc_index[i], s->ac_index[i], - s->quant_matrixes[ s->quant_index[c] ]) < 0) { - av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); - return -1; - } - s->dsp.idct_put(ptr, linesize[c], s->block); + s->dsp.clear_block(s->block); + if (decode_block(s, s->block, i, + s->dc_index[i], s->ac_index[i], + s->quant_matrixes[s->quant_index[c]]) < 0) { + av_log(s->avctx, AV_LOG_ERROR, + "error y=%d x=%d\n", mb_y, mb_x); + return -1; + } + if (ptr) { + s->dsp.idct_put(ptr, linesize[c], s->block); + } } } else { int block_idx = s->block_stride[c] * (v * mb_y + y) + (h * mb_x + x); |