diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-08-21 22:44:58 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-08-21 22:44:58 +0200 |
| commit | 878a7d1573d2031173a60efba453c558d826a506 (patch) | |
| tree | c57974d271ec05fa6d4d9d933e0950f31027cd5e /libavcodec | |
| parent | 6a57021cf96dc548b6cc2c97dedb8958225d58e3 (diff) | |
| parent | bd968d260aef322fb32e254a3de0d2036c57bd56 (diff) | |
| download | ffmpeg-878a7d1573d2031173a60efba453c558d826a506.tar.gz | |
Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
* qatar/release/0.7:
cavs: fix some crashes with invalid bitstreams
jpegdec: actually search for and parse RSTn
Conflicts:
libavcodec/mjpegdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/cavsdec.c | 9 | ||||
| -rw-r--r-- | libavcodec/mjpegdec.c | 2 |
2 files changed, 8 insertions, 3 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 6e83a7d381..222355ea5e 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -125,6 +125,8 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, level_code = get_ue_code(gb,r->golomb_order); if(level_code >= ESCAPE_CODE) { run = ((level_code - ESCAPE_CODE) >> 1) + 1; + if(run > 64) + return -1; esc_code = get_ue_code(gb,esc_golomb_order); level = esc_code + (run > r->max_run ? 1 : r->level_add[run]); while(level > r->inc_limit) @@ -190,7 +192,8 @@ static inline int decode_residual_inter(AVSContext *h) { static int decode_mb_i(AVSContext *h, int cbp_code) { GetBitContext *gb = &h->s.gb; - int block, pred_mode_uv; + unsigned pred_mode_uv; + int block; uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; @@ -446,6 +449,8 @@ static inline int check_for_slice(AVSContext *h) { if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) { skip_bits_long(gb,24+align); h->stc = get_bits(gb,8); + if (h->stc >= h->mb_height) + return 0; decode_slice_header(h,gb); return 1; } @@ -660,7 +665,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size, buf_end = buf + buf_size; for(;;) { buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc); - if(stc & 0xFFFFFE00) + if((stc & 0xFFFFFE00) || buf_ptr == buf_end) return FFMAX(0, buf_ptr - buf - s->parse_context.last_index); input_size = (buf_end - buf_ptr)*8; switch(stc) { diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 02c66f504b..5c6d84a07d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -881,7 +881,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } } - if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){/* skip RSTn */ + if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ --s->restart_count; align_get_bits(&s->gb); while(show_bits(&s->gb, 8) == 0xFF) |