[FFmpeg-cvslog] r20566 - in trunk/libavcodec: mjpegdec.c utils.c
michael
subversion
Fri Nov 20 23:14:37 CET 2009
Author: michael
Date: Fri Nov 20 23:14:37 2009
New Revision: 20566
Log:
Allocate pictures with enough padding for jpeg.
Ensure that jpeg does not use mbs that could require larger padding.
This might have been exploitable.
Modified:
trunk/libavcodec/mjpegdec.c
trunk/libavcodec/utils.c
Modified: trunk/libavcodec/mjpegdec.c
==============================================================================
--- trunk/libavcodec/mjpegdec.c Fri Nov 20 22:08:26 2009 (r20565)
+++ trunk/libavcodec/mjpegdec.c Fri Nov 20 23:14:37 2009 (r20566)
@@ -292,9 +292,10 @@ int ff_mjpeg_decode_sof(MJpegDecodeConte
(s->h_count[2] << 12) | (s->v_count[2] << 8) |
(s->h_count[3] << 4) | s->v_count[3];
av_log(s->avctx, AV_LOG_DEBUG, "pix fmt id %x\n", pix_fmt_id);
- if(!(pix_fmt_id & 0x10101010))
+ //NOTE we do not allocate pictures large enough for the possible padding of h/v_count being 4
+ if(!(pix_fmt_id & 0xD0D0D0D0))
pix_fmt_id-= (pix_fmt_id & 0xF0F0F0F0)>>1;
- if(!(pix_fmt_id & 0x01010101))
+ if(!(pix_fmt_id & 0x0D0D0D0D))
pix_fmt_id-= (pix_fmt_id & 0x0F0F0F0F)>>1;
switch(pix_fmt_id){
Modified: trunk/libavcodec/utils.c
==============================================================================
--- trunk/libavcodec/utils.c Fri Nov 20 22:08:26 2009 (r20565)
+++ trunk/libavcodec/utils.c Fri Nov 20 23:14:37 2009 (r20566)
@@ -126,17 +126,19 @@ void avcodec_align_dimensions(AVCodecCon
case PIX_FMT_YUYV422:
case PIX_FMT_UYVY422:
case PIX_FMT_YUV422P:
+ case PIX_FMT_YUV440P:
case PIX_FMT_YUV444P:
case PIX_FMT_GRAY8:
case PIX_FMT_GRAY16BE:
case PIX_FMT_GRAY16LE:
case PIX_FMT_YUVJ420P:
case PIX_FMT_YUVJ422P:
+ case PIX_FMT_YUVJ440P:
case PIX_FMT_YUVJ444P:
case PIX_FMT_YUVA420P:
w_align= 16; //FIXME check for non mpeg style codecs and use less alignment
h_align= 16;
- if(s->codec_id == CODEC_ID_MPEG2VIDEO)
+ if(s->codec_id == CODEC_ID_MPEG2VIDEO || s->codec_id == CODEC_ID_MJPEG || s->codec_id == CODEC_ID_AMV || s->codec_id == CODEC_ID_THP)
h_align= 32; // interlaced is rounded up to 2 MBs
break;
case PIX_FMT_YUV411P:
More information about the ffmpeg-cvslog
mailing list