Mercurial > libavcodec.hg

comparison mjpeg.c @ 2422:18b8b2dcc037 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
various security fixes and precautionary checks
author michael
date Wed, 12 Jan 2005 00:16:25 +0000
parents 26560d4fdb1f
children ba01b8552bd4
comparison
equal deleted inserted replaced
2421:e326490f58c4 2422:18b8b2dcc037
657 p->key_frame= 1; 657 p->key_frame= 1;
658 658
659 mjpeg_picture_header(s); 659 mjpeg_picture_header(s);
660 660
661 s->header_bits= put_bits_count(&s->pb); 661 s->header_bits= put_bits_count(&s->pb);
662 662
663 if(avctx->pix_fmt == PIX_FMT_RGBA32){ 663 if(avctx->pix_fmt == PIX_FMT_RGBA32){
664 int x, y, i; 664 int x, y, i;
665 const int linesize= p->linesize[0]; 665 const int linesize= p->linesize[0];
666 uint16_t buffer[2048][4]; 666 uint16_t (*buffer)[4]= s->rd_scratchpad;
667 int left[3], top[3], topleft[3]; 667 int left[3], top[3], topleft[3];
668 668
669 for(i=0; i<3; i++){ 669 for(i=0; i<3; i++){
670 buffer[0][i]= 1 << (9 - 1); 670 buffer[0][i]= 1 << (9 - 1);
671 } 671 }
672 672
673 for(y = 0; y < height; y++) { 673 for(y = 0; y < height; y++) {
674 const int modified_predictor= y ? predictor : 1; 674 const int modified_predictor= y ? predictor : 1;
675 uint8_t *ptr = p->data[0] + (linesize * y); 675 uint8_t *ptr = p->data[0] + (linesize * y);
676 676
677 if(s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < width*3*4){
678 av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n");
679 return -1;
680 }
681
677 for(i=0; i<3; i++){ 682 for(i=0; i<3; i++){
678 top[i]= left[i]= topleft[i]= buffer[0][i]; 683 top[i]= left[i]= topleft[i]= buffer[0][i];
679 } 684 }
680 for(x = 0; x < width; x++) { 685 for(x = 0; x < width; x++) {
681 buffer[x][1] = ptr[4*x+0] - ptr[4*x+1] + 0x100; 686 buffer[x][1] = ptr[4*x+0] - ptr[4*x+1] + 0x100;
705 int mb_x, mb_y, i; 710 int mb_x, mb_y, i;
706 const int mb_width = (width + s->mjpeg_hsample[0] - 1) / s->mjpeg_hsample[0]; 711 const int mb_width = (width + s->mjpeg_hsample[0] - 1) / s->mjpeg_hsample[0];
707 const int mb_height = (height + s->mjpeg_vsample[0] - 1) / s->mjpeg_vsample[0]; 712 const int mb_height = (height + s->mjpeg_vsample[0] - 1) / s->mjpeg_vsample[0];
708 713
709 for(mb_y = 0; mb_y < mb_height; mb_y++) { 714 for(mb_y = 0; mb_y < mb_height; mb_y++) {
715 if(s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < mb_width * 4 * 3 * s->mjpeg_hsample[0] * s->mjpeg_vsample[0]){
716 av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n");
717 return -1;
718 }
710 for(mb_x = 0; mb_x < mb_width; mb_x++) { 719 for(mb_x = 0; mb_x < mb_width; mb_x++) {
711 if(mb_x==0 || mb_y==0){ 720 if(mb_x==0 || mb_y==0){
712 for(i=0;i<3;i++) { 721 for(i=0;i<3;i++) {
713 uint8_t *ptr; 722 uint8_t *ptr;
714 int x, y, h, v, linesize; 723 int x, y, h, v, linesize;
1058 av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); 1067 av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n");
1059 return -1; 1068 return -1;
1060 } 1069 }
1061 height = get_bits(&s->gb, 16); 1070 height = get_bits(&s->gb, 16);
1062 width = get_bits(&s->gb, 16); 1071 width = get_bits(&s->gb, 16);
1072
1063 dprintf("sof0: picture: %dx%d\n", width, height); 1073 dprintf("sof0: picture: %dx%d\n", width, height);
1074 if(avcodec_check_dimensions(s->avctx, width, height))
1075 return -1;
1064 1076
1065 nb_components = get_bits(&s->gb, 8); 1077 nb_components = get_bits(&s->gb, 8);
1066 if (nb_components <= 0 || 1078 if (nb_components <= 0 ||
1067 nb_components > MAX_COMPONENTS) 1079 nb_components > MAX_COMPONENTS)
1068 return -1; 1080 return -1;
1226 return 0; 1238 return 0;
1227 } 1239 }
1228 1240
1229 static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int predictor, int point_transform){ 1241 static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int predictor, int point_transform){
1230 int i, mb_x, mb_y; 1242 int i, mb_x, mb_y;
1231 uint16_t buffer[2048][4]; 1243 uint16_t buffer[32768][4];
1232 int left[3], top[3], topleft[3]; 1244 int left[3], top[3], topleft[3];
1233 const int linesize= s->linesize[0]; 1245 const int linesize= s->linesize[0];
1234 const int mask= (1<<s->bits)-1; 1246 const int mask= (1<<s->bits)-1;
1247
1248 if((unsigned)s->mb_width > 32768) //dynamic alloc
1249 return -1;
1235 1250
1236 for(i=0; i<3; i++){ 1251 for(i=0; i<3; i++){
1237 buffer[0][i]= 1 << (s->bits + point_transform - 1); 1252 buffer[0][i]= 1 << (s->bits + point_transform - 1);
1238 } 1253 }
1239 for(mb_y = 0; mb_y < s->mb_height; mb_y++) { 1254 for(mb_y = 0; mb_y < s->mb_height; mb_y++) {