diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-04-17 20:02:13 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-04-17 20:02:13 +0200 |
commit | a66675268f63dd6794ce946c7edbcb8b49ae0f13 (patch) | |
tree | be9b5f2af9af056383104f254c67ca165cb64992 /libavcodec/indeo5.c | |
parent | e90dfa6881afccf23a3dc494fa30c58d75945cbc (diff) | |
download | ffmpeg-a66675268f63dd6794ce946c7edbcb8b49ae0f13.tar.gz |
indeo5: dont run the wavelet transform over partially decoded bands.
This fixes a null pointer dereference.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/indeo5.c')
-rw-r--r-- | libavcodec/indeo5.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index b35486b106..5614e80519 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -78,6 +78,7 @@ typedef struct { IVIPicConfig pic_conf; int gop_invalid; + int buf_invalid[3]; } IVI5DecContext; @@ -797,6 +798,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, //{ START_TIMER; if (ctx->frame_type != FRAMETYPE_NULL) { + ctx->buf_invalid[ctx->dst_buf] = 1; for (p = 0; p < 3; p++) { for (b = 0; b < ctx->planes[p].num_bands; b++) { result = decode_band(ctx, p, &ctx->planes[p].bands[b], avctx); @@ -807,7 +809,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } } } + ctx->buf_invalid[ctx->dst_buf] = 0; } + if (ctx->buf_invalid[ctx->dst_buf]) + return -1; //STOP_TIMER("decode_planes"); } |