Mercurial > libavcodec.hg

diff mjpegdec.c @ 10549:981e7720fc03 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Allocate pictures with enough padding for jpeg. Ensure that jpeg does not use mbs that could require larger padding. This might have been exploitable.
author michael
date Fri, 20 Nov 2009 22:14:37 +0000
parents 8d8fcc20dd30
children 7127645ee791
line wrap: on
line diff
--- a/mjpegdec.c	Fri Nov 20 21:08:26 2009 +0000
+++ b/mjpegdec.c	Fri Nov 20 22:14:37 2009 +0000
@@ -292,9 +292,10 @@
                  (s->h_count[2] << 12) | (s->v_count[2] <<  8) |
                  (s->h_count[3] <<  4) |  s->v_count[3];
     av_log(s->avctx, AV_LOG_DEBUG, "pix fmt id %x\n", pix_fmt_id);
-    if(!(pix_fmt_id & 0x10101010))
+    //NOTE we do not allocate pictures large enough for the possible padding of h/v_count being 4
+    if(!(pix_fmt_id & 0xD0D0D0D0))
         pix_fmt_id-= (pix_fmt_id & 0xF0F0F0F0)>>1;
-    if(!(pix_fmt_id & 0x01010101))
+    if(!(pix_fmt_id & 0x0D0D0D0D))
         pix_fmt_id-= (pix_fmt_id & 0x0F0F0F0F)>>1;
 
     switch(pix_fmt_id){