[FFmpeg-devel] [PATCH] mpegpicture: use coded_width/coded_height to allocate frame
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Fri Nov 25 03:26:24 EET 2016
On 25.11.2016 01:38, Michael Niedermayer wrote:
> On Fri, Nov 25, 2016 at 12:03:30AM +0100, Andreas Cadhalpun wrote:
>> mss2.c | 13 ++++++++++---
>> 1 file changed, 10 insertions(+), 3 deletions(-)
>> 884b912643244a4205bac63faedfa0c048bcc97a 0001-mss2-only-use-error-correction-for-matching-block-co.patch
>> From df9241d8b575cc0fbf570e714c586ff37a4821fd Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> Date: Thu, 24 Nov 2016 23:57:46 +0100
>> Subject: [PATCH] mss2: only use error correction for matching block counts
>>
>> This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
>> with coded_width/coded_height larger than width/height.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>> libavcodec/mss2.c | 13 ++++++++++---
>> 1 file changed, 10 insertions(+), 3 deletions(-)
>>
>> diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c
>> index 1e24568..62761e8 100644
>> --- a/libavcodec/mss2.c
>> +++ b/libavcodec/mss2.c
>> @@ -409,8 +409,6 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size,
>> return ret;
>> }
>>
>> - ff_mpeg_er_frame_start(s);
>> -
>> v->bits = buf_size * 8;
>>
>> v->end_mb_x = (w + 15) >> 4;
>> @@ -420,9 +418,18 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size,
>> if (v->respic & 2)
>> s->end_mb_y = s->end_mb_y + 1 >> 1;
>>
>> + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) {
>> + ff_mpeg_er_frame_start(s);
>> + } else {
>> + av_log(v->s.avctx, AV_LOG_WARNING,
>> + "disabling error correction due to block count mismatch %dx%d != %dx%d\n",
>> + v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height);
>> + }
>> +
>> ff_vc1_decode_blocks(v);
>>
>> - ff_er_frame_end(&s->er);
>> + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height)
>> + ff_er_frame_end(&s->er);
>
> there are still ff_er_add_slice() calls in the block decode code i think
> It seems not to matter but skiping just ff_er_frame_end() and
> not ff_mpeg_er_frame_start() feels less inconsistent
OK, update patch is attached.
Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mss2-only-use-error-correction-for-matching-block-co.patch
Type: text/x-diff
Size: 1193 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20161125/890daab6/attachment.patch>
More information about the ffmpeg-devel
mailing list