diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2015-11-05 23:04:48 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2015-11-06 00:15:21 +0100 |
commit | cea9eb9520fab9e5ec79d3a2d4dbd03eb71b7fa3 (patch) | |
tree | bcbf31340ad3ce0a070d9bd737be907cb503d204 | |
parent | d4a731b84a08f0f3839eaaaf82e97d8d9c67da46 (diff) | |
download | ffmpeg-cea9eb9520fab9e5ec79d3a2d4dbd03eb71b7fa3.tar.gz |
avcodec/dnxhddec: Make mb_scan_index a fixed length array
Fixes null pointer dereference
Fixes: 5c9d1a6f74a12763fc7c9dd7834022b9/signal_sigsegv_11f78d9_1461_ecee3c5e7205457498e79b3ffaf21d0c.mxf
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/dnxhddec.c | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 2eb07ec5d8..f0fdbb9ea8 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -57,7 +57,7 @@ typedef struct DNXHDContext { unsigned int width, height; enum AVPixelFormat pix_fmt; unsigned int mb_width, mb_height; - uint32_t *mb_scan_index; + uint32_t mb_scan_index[256]; int data_offset; // End of mb_scan_index, where macroblocks start int cur_field; ///< current interlaced field VLC ac_vlc, dc_vlc, run_vlc; @@ -164,7 +164,6 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, static const uint8_t header_prefixhr2[] = { 0x00, 0x00, 0x03, 0x8C, 0x03 }; int i, cid, ret; int old_bit_depth = ctx->bit_depth, bitdepth; - int old_mb_height = ctx->mb_height; if (buf_size < 0x280) { av_log(ctx->avctx, AV_LOG_ERROR, @@ -293,13 +292,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, return AVERROR_INVALIDDATA; } - if (ctx->mb_height != old_mb_height) { - av_freep(&ctx->mb_scan_index); - - ctx->mb_scan_index = av_mallocz_array(ctx->mb_height, sizeof(uint32_t)); - if (!ctx->mb_scan_index) - return AVERROR(ENOMEM); - } + av_assert0((unsigned)ctx->mb_height <= FF_ARRAY_ELEMS(ctx->mb_scan_index)); for (i = 0; i < ctx->mb_height; i++) { ctx->mb_scan_index[i] = AV_RB32(buf + 0x170 + (i << 2)); @@ -681,7 +674,6 @@ static av_cold int dnxhd_decode_close(AVCodecContext *avctx) ff_free_vlc(&ctx->dc_vlc); ff_free_vlc(&ctx->run_vlc); - av_freep(&ctx->mb_scan_index); av_freep(&ctx->rows); return 0; |