aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJanne Grunau <janne-libav@jannau.net>2012-01-05 03:47:21 +0100
committerJanne Grunau <janne-libav@jannau.net>2012-01-05 18:20:35 +0100
commite268a352af893e47bd3ea2aed90761cb0b4feca7 (patch)
treefed175a4a2654916283354a3abbd7baed027f6dd
parent5e5cde27452d6725427feb3ae86c89e986506c8e (diff)
downloadffmpeg-e268a352af893e47bd3ea2aed90761cb0b4feca7.tar.gz
mjpegdec: parse RSTn to prevent skipping other data in mjpeg_decode_scan
Check explicitly if enough bits are left to prevent an infinite loop when the bitstream buffer is not followed by zero-padding. Based on patches by Michael Niedermayer <michaelni@gmx.at>.
-rw-r--r--libavcodec/mjpegdec.c24
1 files changed, 16 insertions, 8 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 058b08fa83..7a85c16d95 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -881,14 +881,22 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
}
}
- if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */
- --s->restart_count;
- align_get_bits(&s->gb);
- while(show_bits(&s->gb, 8) == 0xFF)
- skip_bits(&s->gb, 8);
- skip_bits(&s->gb, 8);
- for (i=0; i<nb_components; i++) /* reset dc */
- s->last_dc[i] = 1024;
+ if (s->restart_interval) {
+ s->restart_count--;
+ i = 8 + ((-get_bits_count(&s->gb)) & 7);
+ /* skip RSTn */
+ if (show_bits(&s->gb, i) == (1 << i) - 1) {
+ int pos = get_bits_count(&s->gb);
+ align_get_bits(&s->gb);
+ while (get_bits_left(&s->gb) >= 8 && show_bits(&s->gb, 8) == 0xFF)
+ skip_bits(&s->gb, 8);
+ if ((get_bits(&s->gb, 8) & 0xF8) == 0xD0) {
+ for (i = 0; i < nb_components; i++) /* reset dc */
+ s->last_dc[i] = 1024;
+ } else {
+ skip_bits_long(&s->gb, pos - get_bits_count(&s->gb));
+ }
+ }
}
}
}