[FFmpeg-cvslog] eatgq: Pass error code from tgq_decode_mb() and let the caller fail.

Michael Niedermayer git at videolan.org
Thu Mar 1 20:14:54 CET 2012


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Thu Mar  1 19:56:57 2012 +0100| [dc945b1fa8ae65a18116d2ba362871aeebc573b0] | committer: Michael Niedermayer

eatgq: Pass error code from tgq_decode_mb() and let the caller fail.

This fixes a over read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dc945b1fa8ae65a18116d2ba362871aeebc573b0
---

 libavcodec/eatgq.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c
index 9bf15f4..1cce1da 100644
--- a/libavcodec/eatgq.c
+++ b/libavcodec/eatgq.c
@@ -141,7 +141,7 @@ static void tgq_idct_put_mb_dconly(TgqContext *s, int mb_x, int mb_y, const int8
     }
 }
 
-static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs, const uint8_t *buf_end){
+static int tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs, const uint8_t *buf_end){
     int mode;
     int i;
     int8_t dc[6];
@@ -149,7 +149,7 @@ static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs,
     mode = bytestream_get_byte(bs);
     if (mode>buf_end-*bs) {
         av_log(s->avctx, AV_LOG_ERROR, "truncated macroblock\n");
-        return;
+        return AVERROR_INVALIDDATA;
     }
 
     if (mode>12) {
@@ -174,6 +174,8 @@ static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs,
         tgq_idct_put_mb_dconly(s, mb_x, mb_y, dc);
     }
     *bs += mode;
+
+    return 0;
 }
 
 static void tgq_calculate_qtable(TgqContext *s, int quant){
@@ -196,7 +198,7 @@ static int tgq_decode_frame(AVCodecContext *avctx,
     const uint8_t *buf_start = buf;
     const uint8_t *buf_end = buf + buf_size;
     TgqContext *s = avctx->priv_data;
-    int x,y;
+    int x,y, ret;
 
     int big_endian = AV_RL32(&buf[4]) > 0x000FFFFF;
     buf += 8;
@@ -228,7 +230,8 @@ static int tgq_decode_frame(AVCodecContext *avctx,
 
     for (y=0; y<(avctx->height+15)/16; y++)
     for (x=0; x<(avctx->width+15)/16; x++)
-        tgq_decode_mb(s, y, x, &buf, buf_end);
+        if ((ret=tgq_decode_mb(s, y, x, &buf, buf_end)) < 0)
+            return ret;
 
     *data_size = sizeof(AVFrame);
     *(AVFrame*)data = s->frame;



More information about the ffmpeg-cvslog mailing list