Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash.avi
Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf)
Conflicts:
libavcodec/mjpegdec.c
(cherry picked from commit b881a97b9977b79dfe3ce02d61542c630fe78c14)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -1083,13 +1083,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, |
1083 | 1083 |
|
1084 | 1084 |
if (s->interlaced && s->bottom_field) |
1085 | 1085 |
block_offset += linesize[c] >> 1; |
1086 |
- ptr = data[c] + block_offset; |
|
1086 |
+ if ( 8*(h * mb_x + x) < s->width |
|
1087 |
+ && 8*(v * mb_y + y) < s->height) { |
|
1088 |
+ ptr = data[c] + block_offset; |
|
1089 |
+ } else |
|
1090 |
+ ptr = NULL; |
|
1087 | 1091 |
if (!s->progressive) { |
1088 |
- if (copy_mb) |
|
1089 |
- mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, |
|
1090 |
- linesize[c], s->avctx->lowres); |
|
1092 |
+ if (copy_mb) { |
|
1093 |
+ if (ptr) |
|
1094 |
+ mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, |
|
1095 |
+ linesize[c], s->avctx->lowres); |
|
1091 | 1096 |
|
1092 |
- else { |
|
1097 |
+ } else { |
|
1093 | 1098 |
s->dsp.clear_block(s->block); |
1094 | 1099 |
if (decode_block(s, s->block, i, |
1095 | 1100 |
s->dc_index[i], s->ac_index[i], |
... | ... |
@@ -1098,7 +1103,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, |
1098 | 1098 |
"error y=%d x=%d\n", mb_y, mb_x); |
1099 | 1099 |
return AVERROR_INVALIDDATA; |
1100 | 1100 |
} |
1101 |
- s->dsp.idct_put(ptr, linesize[c], s->block); |
|
1101 |
+ if (ptr) { |
|
1102 |
+ s->dsp.idct_put(ptr, linesize[c], s->block); |
|
1103 |
+ } |
|
1102 | 1104 |
} |
1103 | 1105 |
} else { |
1104 | 1106 |
int block_idx = s->block_stride[c] * (v * mb_y + y) + |