# HG changeset patch
# User michael
# Date 1258755277 0
# Node ID 981e7720fc030cf204cb3d592feb740dd85e78d0
# Parent  e68792a12c3187827a4ef1e0c2f41f2c7b7cb287
Allocate pictures with enough padding for jpeg.
Ensure that jpeg does not use mbs that could require larger padding.
This might have been exploitable.

diff -r e68792a12c31 -r 981e7720fc03 mjpegdec.c
--- a/mjpegdec.c	Fri Nov 20 21:08:26 2009 +0000
+++ b/mjpegdec.c	Fri Nov 20 22:14:37 2009 +0000
@@ -292,9 +292,10 @@
                  (s->h_count[2] << 12) | (s->v_count[2] <<  8) |
                  (s->h_count[3] <<  4) |  s->v_count[3];
     av_log(s->avctx, AV_LOG_DEBUG, "pix fmt id %x\n", pix_fmt_id);
-    if(!(pix_fmt_id & 0x10101010))
+    //NOTE we do not allocate pictures large enough for the possible padding of h/v_count being 4
+    if(!(pix_fmt_id & 0xD0D0D0D0))
         pix_fmt_id-= (pix_fmt_id & 0xF0F0F0F0)>>1;
-    if(!(pix_fmt_id & 0x01010101))
+    if(!(pix_fmt_id & 0x0D0D0D0D))
         pix_fmt_id-= (pix_fmt_id & 0x0F0F0F0F)>>1;
 
     switch(pix_fmt_id){
diff -r e68792a12c31 -r 981e7720fc03 utils.c
--- a/utils.c	Fri Nov 20 21:08:26 2009 +0000
+++ b/utils.c	Fri Nov 20 22:14:37 2009 +0000
@@ -126,17 +126,19 @@
     case PIX_FMT_YUYV422:
     case PIX_FMT_UYVY422:
     case PIX_FMT_YUV422P:
+    case PIX_FMT_YUV440P:
     case PIX_FMT_YUV444P:
     case PIX_FMT_GRAY8:
     case PIX_FMT_GRAY16BE:
     case PIX_FMT_GRAY16LE:
     case PIX_FMT_YUVJ420P:
     case PIX_FMT_YUVJ422P:
+    case PIX_FMT_YUVJ440P:
     case PIX_FMT_YUVJ444P:
     case PIX_FMT_YUVA420P:
         w_align= 16; //FIXME check for non mpeg style codecs and use less alignment
         h_align= 16;
-        if(s->codec_id == CODEC_ID_MPEG2VIDEO)
+        if(s->codec_id == CODEC_ID_MPEG2VIDEO || s->codec_id == CODEC_ID_MJPEG || s->codec_id == CODEC_ID_AMV || s->codec_id == CODEC_ID_THP)
             h_align= 32; // interlaced is rounded up to 2 MBs
         break;
     case PIX_FMT_YUV411P: