[FFmpeg-cvslog] avcodec/mjpegdec: Fix context fields becoming inconsistent

Michael Niedermayer git at videolan.org
Thu Mar 12 00:52:50 CET 2015


ffmpeg | branch: release/0.7 | Michael Niedermayer <michaelni at gmx.at> | Tue Nov 25 13:53:06 2014 +0100| [30e8a375901f8802853fd6d478b77a127d208bd6] | committer: Michael Niedermayer

avcodec/mjpegdec: Fix context fields becoming inconsistent

Fixes out of array access
Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844)

Conflicts:

	libavcodec/mjpegdec.c
(cherry picked from commit 32d3acac727f3f4a6489ca129a5ea4ccdfcb34a5)

Conflicts:

	libavcodec/mjpegdec.c
(cherry picked from commit 8d8ac60d70aee50d44a3e1d7de276598de041640)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=30e8a375901f8802853fd6d478b77a127d208bd6
---

 libavcodec/mjpegdec.c |   20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 6d0ec63..8a6d50d 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1177,6 +1177,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
     }
 
     if (id == AV_RL32("LJIF")){
+        int rgb = s->rgb;
+        int pegasus_rct = s->pegasus_rct;
         if (s->avctx->debug & FF_DEBUG_PICT_INFO)
             av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n");
         skip_bits(&s->gb, 16); /* version ? */
@@ -1185,17 +1187,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
         skip_bits(&s->gb, 16); /* unknwon always 0? */
         switch( get_bits(&s->gb, 8)){
         case 1:
-            s->rgb= 1;
-            s->pegasus_rct=0;
+            rgb         = 1;
+            pegasus_rct = 0;
             break;
         case 2:
-            s->rgb= 1;
-            s->pegasus_rct=1;
+            rgb         = 1;
+            pegasus_rct = 1;
             break;
         default:
             av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n");
         }
+
         len -= 9;
+        if (s->got_picture)
+            if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) {
+                av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n");
+                goto out;
+            }
+
+        s->rgb = rgb;
+        s->pegasus_rct = pegasus_rct;
+
         goto out;
     }
 



More information about the ffmpeg-cvslog mailing list