Mercurial > libavcodec.hg
comparison mjpegbdec.c @ 9737:f9769330c214 libavcodec
Make sure offsets of mjpeg b are within the buffer.
Fixes issue1132
| author | michael |
|---|---|
| date | Sat, 30 May 2009 10:04:09 +0000 |
| parents | 54bc8a2727b0 |
| children | 8a4984c5cacc |
comparison
equal
deleted
inserted
replaced
| 9736:405cbc435997 | 9737:f9769330c214 |
|---|---|
| 26 | 26 |
| 27 #include "avcodec.h" | 27 #include "avcodec.h" |
| 28 #include "mjpeg.h" | 28 #include "mjpeg.h" |
| 29 #include "mjpegdec.h" | 29 #include "mjpegdec.h" |
| 30 | 30 |
| 31 static uint32_t read_offs(AVCodecContext *avctx, GetBitContext *gb, uint32_t size, const char *err_msg){ | |
| 32 uint32_t offs= get_bits_long(gb, 32); | |
| 33 if(offs >= size){ | |
| 34 av_log(avctx, AV_LOG_WARNING, err_msg, offs, size); | |
| 35 return 0; | |
| 36 } | |
| 37 return offs; | |
| 38 } | |
| 31 | 39 |
| 32 static int mjpegb_decode_frame(AVCodecContext *avctx, | 40 static int mjpegb_decode_frame(AVCodecContext *avctx, |
| 33 void *data, int *data_size, | 41 void *data, int *data_size, |
| 34 AVPacket *avpkt) | 42 AVPacket *avpkt) |
| 35 { | 43 { |
| 62 } | 70 } |
| 63 | 71 |
| 64 field_size = get_bits_long(&hgb, 32); /* field size */ | 72 field_size = get_bits_long(&hgb, 32); /* field size */ |
| 65 av_log(avctx, AV_LOG_DEBUG, "field size: 0x%x\n", field_size); | 73 av_log(avctx, AV_LOG_DEBUG, "field size: 0x%x\n", field_size); |
| 66 skip_bits(&hgb, 32); /* padded field size */ | 74 skip_bits(&hgb, 32); /* padded field size */ |
| 67 second_field_offs = get_bits_long(&hgb, 32); | 75 second_field_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "second_field_offs is %d and size is %d\n"); |
| 68 av_log(avctx, AV_LOG_DEBUG, "second field offs: 0x%x\n", second_field_offs); | 76 av_log(avctx, AV_LOG_DEBUG, "second field offs: 0x%x\n", second_field_offs); |
| 69 | 77 |
| 70 dqt_offs = get_bits_long(&hgb, 32); | 78 dqt_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "dqt is %d and size is %d\n"); |
| 71 av_log(avctx, AV_LOG_DEBUG, "dqt offs: 0x%x\n", dqt_offs); | 79 av_log(avctx, AV_LOG_DEBUG, "dqt offs: 0x%x\n", dqt_offs); |
| 72 if (dqt_offs) | 80 if (dqt_offs) |
| 73 { | 81 { |
| 74 init_get_bits(&s->gb, buf_ptr+dqt_offs, (buf_end - (buf_ptr+dqt_offs))*8); | 82 init_get_bits(&s->gb, buf_ptr+dqt_offs, (buf_end - (buf_ptr+dqt_offs))*8); |
| 75 s->start_code = DQT; | 83 s->start_code = DQT; |
| 76 ff_mjpeg_decode_dqt(s); | 84 ff_mjpeg_decode_dqt(s); |
| 77 } | 85 } |
| 78 | 86 |
| 79 dht_offs = get_bits_long(&hgb, 32); | 87 dht_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "dht is %d and size is %d\n"); |
| 80 av_log(avctx, AV_LOG_DEBUG, "dht offs: 0x%x\n", dht_offs); | 88 av_log(avctx, AV_LOG_DEBUG, "dht offs: 0x%x\n", dht_offs); |
| 81 if (dht_offs) | 89 if (dht_offs) |
| 82 { | 90 { |
| 83 init_get_bits(&s->gb, buf_ptr+dht_offs, (buf_end - (buf_ptr+dht_offs))*8); | 91 init_get_bits(&s->gb, buf_ptr+dht_offs, (buf_end - (buf_ptr+dht_offs))*8); |
| 84 s->start_code = DHT; | 92 s->start_code = DHT; |
| 85 ff_mjpeg_decode_dht(s); | 93 ff_mjpeg_decode_dht(s); |
| 86 } | 94 } |
| 87 | 95 |
| 88 sof_offs = get_bits_long(&hgb, 32); | 96 sof_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sof is %d and size is %d\n"); |
| 89 av_log(avctx, AV_LOG_DEBUG, "sof offs: 0x%x\n", sof_offs); | 97 av_log(avctx, AV_LOG_DEBUG, "sof offs: 0x%x\n", sof_offs); |
| 90 if (sof_offs) | 98 if (sof_offs) |
| 91 { | 99 { |
| 92 init_get_bits(&s->gb, buf_ptr+sof_offs, (buf_end - (buf_ptr+sof_offs))*8); | 100 init_get_bits(&s->gb, buf_ptr+sof_offs, (buf_end - (buf_ptr+sof_offs))*8); |
| 93 s->start_code = SOF0; | 101 s->start_code = SOF0; |
| 94 if (ff_mjpeg_decode_sof(s) < 0) | 102 if (ff_mjpeg_decode_sof(s) < 0) |
| 95 return -1; | 103 return -1; |
| 96 } | 104 } |
| 97 | 105 |
| 98 sos_offs = get_bits_long(&hgb, 32); | 106 sos_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sos is %d and size is %d\n"); |
| 99 av_log(avctx, AV_LOG_DEBUG, "sos offs: 0x%x\n", sos_offs); | 107 av_log(avctx, AV_LOG_DEBUG, "sos offs: 0x%x\n", sos_offs); |
| 100 sod_offs = get_bits_long(&hgb, 32); | 108 sod_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sof is %d and size is %d\n"); |
| 101 av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs); | 109 av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs); |
| 102 if (sos_offs) | 110 if (sos_offs) |
| 103 { | 111 { |
| 104 // init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8); | 112 // init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8); |
| 105 init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8); | 113 init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8); |