[FFmpeg-devel] [PATCH] Fix crash in MJEG decoder

Michael Niedermayer michaelni
Mon Jun 30 11:14:42 CEST 2008


On Mon, Jun 30, 2008 at 08:50:19AM +0200, Diego Santa Cruz wrote:
> > -----Original Message-----
> > From: ffmpeg-devel-bounces at mplayerhq.hu [mailto:ffmpeg-devel-
> > bounces at mplayerhq.hu] On Behalf Of Stefan Gehrer
> > Sent: Friday, June 27, 2008 8:43 PM
> > To: FFmpeg development discussions and patches
> > Subject: Re: [FFmpeg-devel] [PATCH] Fix crash in MJEG decoder
> > 
> > Diego Santa Cruz wrote:
> > > Hi there,
> > >
> > > I have a JPEG file which segfaults the MJPEG decoder.
> > >
> > > This file has 4 color components (YCCK I believe, color transform 2
> > in the Adobe APP14 marker) with no subsampling.
> > >
> > > The problem is that ff_mjpeg_decode_sof() sets the pixel format to
> > PIX_FMT_GRAY8 and thus allocates only one component. Then
> > mjpeg_decode_scan() decodes the MBs and tries to perform the IDCT on a
> > non-allocated component which triggers a segfault.
> > >
> > > The attached patch fixes the problem by simply skipping the IDCT
> > step in mjpeg_decode_scan() when the corresponding component is not
> > allocated.
> > >
> > > The decoded image will not be correct anyhow, but it can be
> > considered a best attempt to decode an unhandled color space and
> > prevents ffmpeg from crashing.
> > >
> > > Tested on SVN HEAD with
> > >
> > > ffmpeg -i celgene.jpg test.avi
> > >
> > > I can provide the troublesome file if required (680K).
> > >
> > > Comments welcome.
> > 
> > I think it would be nicer to adjust the value of nb_components outside
> > of the macroblock loop instead of checking the pointers for validity
> > inside it.
> 
> My knowledge of JPEG is a bit rusty, but I think you still need to
> decode all the MBs to properly advance in the bitstream, so that's why
> only the IDCT part is skipped. Note also that is not necessarily the
> first appearing component that is kept. 

I think the decoder should either decode all planes (=allocate them all)
or reject the file with an error message.

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20080630/9cc2dfb6/attachment.pgp>



More information about the ffmpeg-devel mailing list