diff options
author | Janne Grunau <janne-libav@jannau.net> | 2012-01-05 03:47:21 +0100 |
---|---|---|
committer | Janne Grunau <janne-libav@jannau.net> | 2012-01-05 18:20:35 +0100 |
commit | e268a352af893e47bd3ea2aed90761cb0b4feca7 (patch) | |
tree | fed175a4a2654916283354a3abbd7baed027f6dd | |
parent | 5e5cde27452d6725427feb3ae86c89e986506c8e (diff) | |
download | ffmpeg-e268a352af893e47bd3ea2aed90761cb0b4feca7.tar.gz |
mjpegdec: parse RSTn to prevent skipping other data in mjpeg_decode_scan
Check explicitly if enough bits are left to prevent an infinite loop
when the bitstream buffer is not followed by zero-padding.
Based on patches by Michael Niedermayer <michaelni@gmx.at>.
-rw-r--r-- | libavcodec/mjpegdec.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 058b08fa83..7a85c16d95 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -881,14 +881,22 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } } - if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ - --s->restart_count; - align_get_bits(&s->gb); - while(show_bits(&s->gb, 8) == 0xFF) - skip_bits(&s->gb, 8); - skip_bits(&s->gb, 8); - for (i=0; i<nb_components; i++) /* reset dc */ - s->last_dc[i] = 1024; + if (s->restart_interval) { + s->restart_count--; + i = 8 + ((-get_bits_count(&s->gb)) & 7); + /* skip RSTn */ + if (show_bits(&s->gb, i) == (1 << i) - 1) { + int pos = get_bits_count(&s->gb); + align_get_bits(&s->gb); + while (get_bits_left(&s->gb) >= 8 && show_bits(&s->gb, 8) == 0xFF) + skip_bits(&s->gb, 8); + if ((get_bits(&s->gb, 8) & 0xF8) == 0xD0) { + for (i = 0; i < nb_components; i++) /* reset dc */ + s->last_dc[i] = 1024; + } else { + skip_bits_long(&s->gb, pos - get_bits_count(&s->gb)); + } + } } } } |