Commit c2fa6bb0 authored by Anton Khirnov's avatar Anton Khirnov

mpeg12dec: move setting first_field to mpeg_field_start()

For field picture, the first_field is set based on its previous value.
Before this commit, first_field is set when reading the picture
coding extension. However, in corrupted files there may be multiple
picture coding extension headers, so the final value of first_field that
is actually used during decoding can be wrong. That can lead to various
undefined behaviour, like predicting from a non-existing field.

Fix this problem, by setting first_field in mpeg_field_start(), which
should be called exactly once per field.

CC: libav-stable@libav.org
Bug-ID: 999
parent e807491f
...@@ -1536,10 +1536,8 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) ...@@ -1536,10 +1536,8 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1)
av_log(s->avctx, AV_LOG_WARNING, "invalid frame_pred_frame_dct\n"); av_log(s->avctx, AV_LOG_WARNING, "invalid frame_pred_frame_dct\n");
if (s->picture_structure == PICT_FRAME) { if (s->picture_structure == PICT_FRAME) {
s->first_field = 0;
s->v_edge_pos = 16 * s->mb_height; s->v_edge_pos = 16 * s->mb_height;
} else { } else {
s->first_field ^= 1;
s->v_edge_pos = 8 * s->mb_height; s->v_edge_pos = 8 * s->mb_height;
memset(s->mbskip_table, 0, s->mb_stride * s->mb_height); memset(s->mbskip_table, 0, s->mb_stride * s->mb_height);
} }
...@@ -1570,6 +1568,11 @@ static int mpeg_field_start(MpegEncContext *s, const uint8_t *buf, int buf_size) ...@@ -1570,6 +1568,11 @@ static int mpeg_field_start(MpegEncContext *s, const uint8_t *buf, int buf_size)
Mpeg1Context *s1 = (Mpeg1Context *) s; Mpeg1Context *s1 = (Mpeg1Context *) s;
int ret; int ret;
if (s->picture_structure == PICT_FRAME)
s->first_field = 0;
else
s->first_field ^= 1;
/* start frame decoding */ /* start frame decoding */
if (s->first_field || s->picture_structure == PICT_FRAME) { if (s->first_field || s->picture_structure == PICT_FRAME) {
AVFrameSideData *pan_scan; AVFrameSideData *pan_scan;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment