diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-01-11 12:43:45 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-01-11 13:01:07 +0100 |
| commit | 6fc064893270be7549eccc78fd085ca8521ad9f2 (patch) | |
| tree | 6ecde3cda9eca227db9e72b76b4034c463c64a1d | |
| parent | 8bfc8d88be9be07c53aa290515d022c9a938e18d (diff) | |
| parent | 7b8c5b263bc680eff5710bee5994de39d47fc15e (diff) | |
| download | ffmpeg-6fc064893270be7549eccc78fd085ca8521ad9f2.tar.gz | |
Merge commit '7b8c5b263bc680eff5710bee5994de39d47fc15e'
* commit '7b8c5b263bc680eff5710bee5994de39d47fc15e':
vc1dec: prevent a crash due missing pred_flag parameter
matroska: Fix use after free
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/vc1dec.c | 10 | ||||
| -rw-r--r-- | libavformat/matroskadec.c | 2 |
2 files changed, 8 insertions, 4 deletions
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index bdab48ca7f..fa25161d75 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1149,8 +1149,12 @@ static av_always_inline void get_mvdata_interlaced(VC1Context *v, int *dmv_x, *dmv_x = get_bits(gb, v->k_x); *dmv_y = get_bits(gb, v->k_y); if (v->numref) { - *pred_flag = *dmv_y & 1; - *dmv_y = (*dmv_y + *pred_flag) >> 1; + if (pred_flag) { + *pred_flag = *dmv_y & 1; + *dmv_y = (*dmv_y + *pred_flag) >> 1; + } else { + *dmv_y = (*dmv_y + (*dmv_y & 1)) >> 1; + } } } else { @@ -1177,7 +1181,7 @@ static av_always_inline void get_mvdata_interlaced(VC1Context *v, int *dmv_x, *dmv_y = (sign ^ ((val >> 1) + offs_tab[index1 >> v->numref])) - sign; } else *dmv_y = 0; - if (v->numref) + if (v->numref && pred_flag) *pred_flag = index1 & 1; } } diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4da4f1851f..87c4a39d0e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1881,6 +1881,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, */ static void matroska_clear_queue(MatroskaDemuxContext *matroska) { + matroska->prev_pkt = NULL; if (matroska->packets) { int n; for (n = 0; n < matroska->num_packets; n++) { @@ -2388,7 +2389,6 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, avio_seek(s->pb, st->index_entries[st->nb_index_entries-1].pos, SEEK_SET); matroska->current_id = 0; while ((index = av_index_search_timestamp(st, timestamp, flags)) < 0) { - matroska->prev_pkt = NULL; matroska_clear_queue(matroska); if (matroska_parse_cluster(matroska) < 0) break; |