1. ffmpeg
  2. Commit 8524009161b0430ba961a4e6fcd8125a695edd7c
Browse code

avcodec/mjpegdec: Fix context fields becoming inconsistent

Fixes out of array access
Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Michael Niedermayer authored on 2014/11/25 21:53:06
Showing 1 changed files
libavcodec/mjpegdec.c
History View file @ 8524009
... ... 
@@ -1596,6 +1596,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
1596 1596 
     }
1597 1597
1598 1598 
     if (id == AV_RB32("LJIF")) {
1599 
+        int rgb = s->rgb;
1600 
+        int pegasus_rct = s->pegasus_rct;
1599 1601 
         if (s->avctx->debug & FF_DEBUG_PICT_INFO)
1600 1602 
             av_log(s->avctx, AV_LOG_INFO,
1601 1603 
                    "Pegasus lossless jpeg header found\n");
... ... 
@@ -1605,17 +1607,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
1605 1605 
         skip_bits(&s->gb, 16); /* unknown always 0? */
1606 1606 
         switch (i=get_bits(&s->gb, 8)) {
1607 1607 
         case 1:
1608 
-            s->rgb         = 1;
1609 
-            s->pegasus_rct = 0;
1608 
+            rgb         = 1;
1609 
+            pegasus_rct = 0;
1610 1610 
             break;
1611 1611 
         case 2:
1612 
-            s->rgb         = 1;
1613 
-            s->pegasus_rct = 1;
1612 
+            rgb         = 1;
1613 
+            pegasus_rct = 1;
1614 1614 
             break;
1615 1615 
         default:
1616 1616 
             av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace %d\n", i);
1617 1617 
         }
1618 
+
1618 1619 
         len -= 9;
1620 
+        if (s->got_picture)
1621 
+            if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) {
1622 
+                av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n");
1623 
+                goto out;
1624 
+            }
1625 
+
1626 
+        s->rgb = rgb;
1627 
+        s->pegasus_rct = pegasus_rct;
1628 
+
1619 1629 
         goto out;
1620 1630 
     }
1621 1631 
     if (id == AV_RL32("colr") && len > 0) {