[FFmpeg-devel] [PATCH] mpegvideo: validate block_last_index before dct_unquantize_intra

Michael Niedermayer michael at niedermayer.cc
Sat Dec 19 21:49:12 CET 2015


On Sat, Dec 19, 2015 at 09:19:27PM +0100, Andreas Cadhalpun wrote:
> On 19.12.2015 21:12, Michael Niedermayer wrote:
> > On Sat, Dec 19, 2015 at 06:13:37PM +0100, Andreas Cadhalpun wrote:
> >> If it is negative, it triggers the assertion in
> >> dct_unquantize_h263_intra.
> >>
> >> This is somehow related to the second hunk of commit 9251942: reverting
> >> that prevents these crashes, but breaks the sample from ticket 302.
> >>
> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >> ---
> >>
> >> Note that the sample from ticket 302 is currently broken anyway, printing
> >> lots of "slice end not reached but screenspace end" errors.
> >> This still works fine with ffmpeg 2.8.
> >>
> >> ---
> >>  libavcodec/mpegvideo.c | 4 ++++
> >>  1 file changed, 4 insertions(+)
> >>
> >> diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
> >> index 6d9e265..e8e54ff 100644
> >> --- a/libavcodec/mpegvideo.c
> >> +++ b/libavcodec/mpegvideo.c
> >> @@ -2402,6 +2402,10 @@ unhandled:
> >>  static inline void put_dct(MpegEncContext *s,
> >>                             int16_t *block, int i, uint8_t *dest, int line_size, int qscale)
> >>  {
> >> +    if (s->block_last_index[i] < 0) {
> >> +        av_log(s->avctx, AV_LOG_WARNING, "Invalid block_last_index in put_dct.\n");
> >> +        return;
> >> +    }
> > 
> > how does block_last_index become negative for this ?
> 
> It's set to -1 in mpeg4_decode_block.
> 
> > this fix doesnt look correct put_dct() is too late to check for any
> > bitstream errors
> 
> Better ideas are very much welcome. :)

> I can also send you a sample showing this problem.

please do


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151219/2618daab/attachment.sig>


More information about the ffmpeg-devel mailing list