Skip to content

F
ffmpeg.wasm-core
Commit 08509c8f authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

avcodec/mjpegdec: Skip blocks which are outside the visible area 

Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash.avi
Found-by: 's avatarThomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 29245147
Hide whitespace changes
Inline Side-by-side
Showing with 15 additions and 8 deletions
libavcodec/mjpegdec.c
View file @ 08509c8f
......@@ -1248,13 +1248,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
ptr = data[c] + block_offset;
if ( 8*(h * mb_x + x) < s->width
&& 8*(v * mb_y + y) < s->height) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
if (!s->progressive) {
if (copy_mb)
mjpeg_copy_block(s, ptr, reference_data[c] + block_offset,
linesize[c], s->avctx->lowres);
if (copy_mb) {
if (ptr)
mjpeg_copy_block(s, ptr, reference_data[c] + block_offset,
linesize[c], s->avctx->lowres);
else {
} else {
s->bdsp.clear_block(s->block);
if (decode_block(s, s->block, i,
s->dc_index[i], s->ac_index[i],
......@@ -1263,9 +1268,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
"error y=%d x=%d\n", mb_y, mb_x);
return AVERROR_INVALIDDATA;
}
s->idsp.idct_put(ptr, linesize[c], s->block);
if (s->bits & 7)
shift_output(s, ptr, linesize[c]);
if (ptr) {
s->idsp.idct_put(ptr, linesize[c], s->block);
if (s->bits & 7)
shift_output(s, ptr, linesize[c]);
}
}
} else {
int block_idx = s->block_stride[c] * (v * mb_y + y) +
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment