1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
From 6043c431c97d55173f339fafbd033d3c0642e2e9 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 3 Oct 2014 01:50:27 +0200
Subject: [PATCH 2/2] avcodec/mjpegdec: check bits per pixel for changes
similar to dimensions
Upstream-Status: Backport
Fixes out of array accesses
Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:
libavcodec/mjpegdec.c
---
libavcodec/mjpegdec.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/gst-libs/ext/libav/libavcodec/mjpegdec.c b/gst-libs/ext/libav/libavcodec/mjpegdec.c
index 84343c0..c0137d8 100644
--- a/gst-libs/ext/libav/libavcodec/mjpegdec.c
+++ b/gst-libs/ext/libav/libavcodec/mjpegdec.c
@@ -210,16 +210,16 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s)
int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
{
- int len, nb_components, i, width, height, pix_fmt_id;
+ int len, nb_components, i, bits, width, height, pix_fmt_id;
/* XXX: verify len field validity */
len = get_bits(&s->gb, 16);
- s->bits= get_bits(&s->gb, 8);
+ bits= get_bits(&s->gb, 8);
- if(s->pegasus_rct) s->bits=9;
- if(s->bits==9 && !s->pegasus_rct) s->rct=1; //FIXME ugly
+ if(s->pegasus_rct) bits=9;
+ if(bits==9 && !s->pegasus_rct) s->rct=1; //FIXME ugly
- if (s->bits != 8 && !s->lossless){
+ if (bits != 8 && !s->lossless){
av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n");
return -1;
}
@@ -239,7 +239,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
if (nb_components <= 0 ||
nb_components > MAX_COMPONENTS)
return -1;
- if (s->ls && !(s->bits <= 8 || nb_components == 1)){
+ if (s->ls && !(bits <= 8 || nb_components == 1)){
av_log(s->avctx, AV_LOG_ERROR, "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n");
return -1;
}
@@ -272,10 +272,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
/* if different size, realloc/alloc picture */
/* XXX: also check h_count and v_count */
- if (width != s->width || height != s->height) {
+ if (width != s->width || height != s->height || bits != s->bits) {
av_freep(&s->qscale_table);
s->width = width;
+ s->bits= bits;
s->height = height;
s->interlaced = 0;
|