From 7f451cb01f9f7a749b503179ba58b2f999056905 Mon Sep 17 00:00:00 2001 From: Jindrich Makovicka Date: Thu, 16 May 2013 16:49:28 +0200 Subject: [PATCH 1/4] mpegvideo: allocate sufficiently large scratch buffer for interlaced vid MPV_decode_mb_internal needs 3 * 16 * linesize bytes of scratch buffer For interlaced content, linesize is multiplied by two after the allocation of the scratch buffer, and the dest_cr pointer ends past the buffer. This patch makes ff_mpv_frame_size_alloc allocate a total of (aligned line_size) * 2 * 16 * 3 bytes, which suffices even for the interlaced case. CC:libav-stable@libav.org Signed-off-by: Jindrich Makovicka Signed-off-by: Anton Khirnov (cherry picked from commit 259af1b92370b32f6d0b9a6de314db4b44c2481d) Signed-off-by: Reinhard Tartler --- libavcodec/mpegvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 10b13b552e..77e21d2bf1 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -248,7 +248,7 @@ int ff_mpv_frame_size_alloc(MpegEncContext *s, int linesize) FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, alloc_size * 2 * 24, fail); - FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, alloc_size * 2 * 16 * 2, + FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, alloc_size * 2 * 16 * 3, fail) s->me.temp = s->me.scratchpad; s->rd_scratchpad = s->me.scratchpad; From 9eecf633f7015cd8364354ffb7846d999519d099 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 12:36:06 +0200 Subject: [PATCH 2/4] jpegls: return meaningful errors (cherry picked from commit a5a0ef5e13a59ff53318a45d77c5624b23229c6f) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/jpeglsdec.c --- libavcodec/jpeglsdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 8a558476c3..b0badbb7d9 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -70,13 +70,13 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) case 2: case 3: av_log(s->avctx, AV_LOG_ERROR, "palette not supported\n"); - return -1; + return AVERROR(ENOSYS); case 4: av_log(s->avctx, AV_LOG_ERROR, "oversize image not supported\n"); - return -1; + return AVERROR(ENOSYS); default: av_log(s->avctx, AV_LOG_ERROR, "invalid id %d\n", id); - return -1; + return AVERROR_INVALIDDATA; } av_dlog(s->avctx, "ID=%i, T=%i,%i,%i\n", id, s->t1, s->t2, s->t3); @@ -327,11 +327,11 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor last = cur; cur += s->picture_ptr->linesize[0]; } - } else if(ilv == 2) { /* sample interleaving */ + } else if (ilv == 2) { /* sample interleaving */ av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n"); av_free(state); av_free(zero); - return -1; + return AVERROR_PATCHWELCOME; } if(shift){ /* we need to do point transform or normalize samples */ From 582aec49892dd42eb8bab5d4837f656a4b821188 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 31 May 2013 22:36:47 +0200 Subject: [PATCH 3/4] jpegls: factorize return paths Conflicts: libavcodec/jpeglsdec.c (cherry picked from commit 4a4107b48944397c914aa39ee16a82fe44db8c4c) --- libavcodec/jpeglsdec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index b0badbb7d9..15bf962900 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -259,7 +259,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor int i, t = 0; uint8_t *zero, *last, *cur; JLSState *state; - int off = 0, stride = 1, width, shift; + int off = 0, stride = 1, width, shift, ret = 0; zero = av_mallocz(s->picture_ptr->linesize[0]); last = zero; @@ -329,9 +329,8 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor } } else if (ilv == 2) { /* sample interleaving */ av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n"); - av_free(state); - av_free(zero); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto end; } if(shift){ /* we need to do point transform or normalize samples */ @@ -359,10 +358,12 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor } } } + +end: av_free(state); av_free(zero); - return 0; + return ret; } From 0af5a774ebc96ae9018926dc8b276c7f39767e3e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 13:08:55 +0200 Subject: [PATCH 4/4] jpegls: check the scan offset Prevent an out of array bound write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit abad374909e6416e941351094f4f1446a71f8d23) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/jpeglsdec.c --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 15bf962900..f851ec0420 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -289,6 +289,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor av_dlog(s->avctx, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); if(ilv == 0) { /* separate planes */ + if (s->cur_scan > s->nb_components) { + ret = AVERROR_INVALIDDATA; + goto end; + } off = s->cur_scan - 1; stride = (s->nb_components > 1) ? 3 : 1; width = s->width * stride;