[FFmpeg-cvslog] avcodec/mjpegdec: Skip blocks which are outside the visible area

Michael Niedermayer git at videolan.org
Thu Mar 12 00:52:53 CET 2015


ffmpeg | branch: release/0.7 | Michael Niedermayer <michaelni at gmx.at> | Wed Feb 11 03:33:53 2015 +0100| [2b8c9c1f7de835d50937a8bf2ae90a61929b3bdd] | committer: Michael Niedermayer

avcodec/mjpegdec: Skip blocks which are outside the visible area

Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash.avi

Found-by: Thomas Lindroth <thomas.lindroth at gmail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf)

Conflicts:

	libavcodec/mjpegdec.c
(cherry picked from commit 5553947db2af443778f781a107d9fe9ad6ec5d17)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2b8c9c1f7de835d50937a8bf2ae90a61929b3bdd
---

 libavcodec/mjpegdec.c |   31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index a0dcbc7..9323d53 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -859,19 +859,28 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
 
                     if(s->interlaced && s->bottom_field)
                         block_offset += linesize[c] >> 1;
-                    ptr = data[c] + block_offset;
-                    if(!s->progressive) {
+                    if (   8*(h * mb_x + x) < s->width
+                        && 8*(v * mb_y + y) < s->height) {
+                        ptr = data[c] + block_offset;
+                    } else
+                        ptr = NULL;
+                    if (!s->progressive) {
                         if (copy_mb) {
-                            mjpeg_copy_block(ptr, reference_data[c] + block_offset, linesize[c], s->avctx->lowres);
+                            if (ptr)
+                                mjpeg_copy_block(ptr, reference_data[c] + block_offset,
+                                                linesize[c], s->avctx->lowres);
                         } else {
-                        s->dsp.clear_block(s->block);
-                        if(decode_block(s, s->block, i,
-                                     s->dc_index[i], s->ac_index[i],
-                                     s->quant_matrixes[ s->quant_index[c] ]) < 0) {
-                            av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x);
-                            return -1;
-                        }
-                        s->dsp.idct_put(ptr, linesize[c], s->block);
+                            s->dsp.clear_block(s->block);
+                            if (decode_block(s, s->block, i,
+                                             s->dc_index[i], s->ac_index[i],
+                                             s->quant_matrixes[s->quant_index[c]]) < 0) {
+                                av_log(s->avctx, AV_LOG_ERROR,
+                                       "error y=%d x=%d\n", mb_y, mb_x);
+                                return -1;
+                            }
+                            if (ptr) {
+                                s->dsp.idct_put(ptr, linesize[c], s->block);
+                            }
                         }
                     } else {
                         int block_idx = s->block_stride[c] * (v * mb_y + y) + (h * mb_x + x);



More information about the ffmpeg-cvslog mailing list