Mercurial > libavcodec.hg
comparison mjpegdec.c @ 10549:981e7720fc03 libavcodec
Allocate pictures with enough padding for jpeg.
Ensure that jpeg does not use mbs that could require larger padding.
This might have been exploitable.
| author | michael |
|---|---|
| date | Fri, 20 Nov 2009 22:14:37 +0000 |
| parents | 8d8fcc20dd30 |
| children | 7127645ee791 |
comparison
equal
deleted
inserted
replaced
| 10548:e68792a12c31 | 10549:981e7720fc03 |
|---|---|
| 290 pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) | | 290 pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) | |
| 291 (s->h_count[1] << 20) | (s->v_count[1] << 16) | | 291 (s->h_count[1] << 20) | (s->v_count[1] << 16) | |
| 292 (s->h_count[2] << 12) | (s->v_count[2] << 8) | | 292 (s->h_count[2] << 12) | (s->v_count[2] << 8) | |
| 293 (s->h_count[3] << 4) | s->v_count[3]; | 293 (s->h_count[3] << 4) | s->v_count[3]; |
| 294 av_log(s->avctx, AV_LOG_DEBUG, "pix fmt id %x\n", pix_fmt_id); | 294 av_log(s->avctx, AV_LOG_DEBUG, "pix fmt id %x\n", pix_fmt_id); |
| 295 if(!(pix_fmt_id & 0x10101010)) | 295 //NOTE we do not allocate pictures large enough for the possible padding of h/v_count being 4 |
| 296 if(!(pix_fmt_id & 0xD0D0D0D0)) | |
| 296 pix_fmt_id-= (pix_fmt_id & 0xF0F0F0F0)>>1; | 297 pix_fmt_id-= (pix_fmt_id & 0xF0F0F0F0)>>1; |
| 297 if(!(pix_fmt_id & 0x01010101)) | 298 if(!(pix_fmt_id & 0x0D0D0D0D)) |
| 298 pix_fmt_id-= (pix_fmt_id & 0x0F0F0F0F)>>1; | 299 pix_fmt_id-= (pix_fmt_id & 0x0F0F0F0F)>>1; |
| 299 | 300 |
| 300 switch(pix_fmt_id){ | 301 switch(pix_fmt_id){ |
| 301 case 0x11111100: | 302 case 0x11111100: |
| 302 if(s->rgb){ | 303 if(s->rgb){ |