[FFmpeg-devel] Fix mjpeg decoder runaway from internal buffer

Anatoly Nenashev anatoly.nenashev
Wed Oct 20 17:36:51 CEST 2010 

On 19.10.2010 19:14, Michael Niedermayer wrote:
> On Tue, Oct 19, 2010 at 06:50:21PM +0400, Anatoly Nenashev wrote:
>    
>> On 19.10.2010 18:31, Michael Niedermayer wrote:
>>      
>>> On Tue, Oct 19, 2010 at 05:51:55PM +0400, Anatoliy Nenashev wrote:
>>>
>>>        
>>>> Hi!
>>>> In some cases there is a situation when mjpeg decoder runaway from
>>>> allocated s->buffer.
>>>> Usually it happens in VLC decoder for DC-AC coefficients when input
>>>> frame is cirrupted.
>>>> In this case it is caused by "specific" garbage at the end of the memory
>>>> allocated for s->buffer.
>>>>
>>>> Here is a fix to prevent this situation.
>>>>
>>>>          
>>> i dont see how this would prevent overreading the buffer. And no i dont
>>> care that on your computer with your sample this week it works.
>>> unless you can show that this always works (which i doubt) its not
>>> a correct solution.
>>>
>>>        
>> 0xFF  value aligned to byte is deprecated for VLC value because it is
>> used for markers. Thats why VLC decoder will  stop within error  when
>> intersects s->buffer_size position.
>>      
> what you write makes no sense. any VLC is allowed, 0xFF occuring
> in the bitstream are explicitly escaped. If i missed something in the
> jpeg spec that disallows such vlcs then please refer to this part of the spec
>    
You are right. Sorry, it was my mistake in specification reading.
I found another way to fix original problem. I have added new macro in 
get_bits.h to check up if the buffer overreaded.
This macro is used in mjpeg decoder. It also may be used in other decoders.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: getbits.patch
Type: text/x-patch
Size: 1876 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20101020/20eb84a1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mjpegdec.patch
Type: text/x-patch
Size: 2274 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20101020/20eb84a1/attachment-0001.bin>

More information about the ffmpeg-devel mailing list