diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2014-11-25 13:53:06 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2015-03-12 18:03:49 +0100 |
commit | aebfcf7d6258760af42e84ab146f592fbfb6395c (patch) | |
tree | 44d4bcd1392a849f9dc89798817d472fb384a982 | |
parent | ec640e10b24923d59c0d981b7b5f7e5ab3eb8ea0 (diff) | |
download | ffmpeg-aebfcf7d6258760af42e84ab146f592fbfb6395c.tar.gz |
avcodec/mjpegdec: Fix context fields becoming inconsistent
Fixes out of array access
Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844)
Conflicts:
libavcodec/mjpegdec.c
(cherry picked from commit 32d3acac727f3f4a6489ca129a5ea4ccdfcb34a5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/mjpegdec.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d0520a3c2a..84bc9aa33d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1376,6 +1376,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RL32("LJIF")) { + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); @@ -1385,17 +1387,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknwon always 0? */ switch (get_bits(&s->gb, 8)) { case 1: - s->rgb = 1; - s->pegasus_rct = 0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb = 1; - s->pegasus_rct = 1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n"); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } |