aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/mjpegdec.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2009-11-20 22:14:37 +0000
committerMichael Niedermayer <michaelni@gmx.at>2009-11-20 22:14:37 +0000
commit98c82d691089214251283a1c16808c10f0744ca1 (patch)
tree5d9466835c8e9ca9e2b591b3305ad1f50cdc38bb /libavcodec/mjpegdec.c
parent9fe08942102ecd2dda0d6751b3c7d9f736cc4ee3 (diff)
downloadffmpeg-98c82d691089214251283a1c16808c10f0744ca1.tar.gz
Allocate pictures with enough padding for jpeg.
Ensure that jpeg does not use mbs that could require larger padding. This might have been exploitable. Originally committed as revision 20566 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/mjpegdec.c')
-rw-r--r--libavcodec/mjpegdec.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 3cf408dfe9..5b213e40e4 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -292,9 +292,10 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
(s->h_count[2] << 12) | (s->v_count[2] << 8) |
(s->h_count[3] << 4) | s->v_count[3];
av_log(s->avctx, AV_LOG_DEBUG, "pix fmt id %x\n", pix_fmt_id);
- if(!(pix_fmt_id & 0x10101010))
+ //NOTE we do not allocate pictures large enough for the possible padding of h/v_count being 4
+ if(!(pix_fmt_id & 0xD0D0D0D0))
pix_fmt_id-= (pix_fmt_id & 0xF0F0F0F0)>>1;
- if(!(pix_fmt_id & 0x01010101))
+ if(!(pix_fmt_id & 0x0D0D0D0D))
pix_fmt_id-= (pix_fmt_id & 0x0F0F0F0F)>>1;
switch(pix_fmt_id){