diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2014-11-25 13:53:06 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2015-03-12 00:47:05 +0100 |
| commit | 30e8a375901f8802853fd6d478b77a127d208bd6 (patch) | |
| tree | 906428f7b5476bba3e7105949f415efa244a6716 | |
| parent | f78f7eca1a5ce67db6b1f8a159dc47cc57e8d43a (diff) | |
| download | ffmpeg-30e8a375901f8802853fd6d478b77a127d208bd6.tar.gz | |
avcodec/mjpegdec: Fix context fields becoming inconsistent
Fixes out of array access
Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844)
Conflicts:
libavcodec/mjpegdec.c
(cherry picked from commit 32d3acac727f3f4a6489ca129a5ea4ccdfcb34a5)
Conflicts:
libavcodec/mjpegdec.c
(cherry picked from commit 8d8ac60d70aee50d44a3e1d7de276598de041640)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/mjpegdec.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 6d0ec63b95..8a6d50de0f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1177,6 +1177,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RL32("LJIF")){ + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); skip_bits(&s->gb, 16); /* version ? */ @@ -1185,17 +1187,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknwon always 0? */ switch( get_bits(&s->gb, 8)){ case 1: - s->rgb= 1; - s->pegasus_rct=0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb= 1; - s->pegasus_rct=1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n"); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } |