[FFmpeg-cvslog] smvjpegdec: only extract picture when a picture has been decoded.
Michael Niedermayer
git at videolan.org
Fri Jun 7 14:38:16 CEST 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Jun 7 14:20:59 2013 +0200| [bce2ed55596a603b0dd35e000e064b9a40eee542] | committer: Michael Niedermayer
smvjpegdec: only extract picture when a picture has been decoded.
Fixes null pointer dereference
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bce2ed55596a603b0dd35e000e064b9a40eee542
---
libavcodec/smvjpegdec.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c
index 57116c2..81ac08b 100644
--- a/libavcodec/smvjpegdec.c
+++ b/libavcodec/smvjpegdec.c
@@ -36,6 +36,7 @@ typedef struct SMVJpegDecodeContext {
AVFrame *picture[2]; /* pictures array */
AVCodecContext* avctx;
int frames_per_jpeg;
+ int mjpeg_data_size;
} SMVJpegDecodeContext;
static inline void smv_img_pnt_plane(uint8_t **dst, uint8_t *src,
@@ -131,9 +132,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
/* Are we at the start of a block? */
if (!cur_frame)
- ret = avcodec_decode_video2(s->avctx, mjpeg_data, data_size, avpkt);
- else /*use the last lot... */
- *data_size = sizeof(AVPicture);
+ ret = avcodec_decode_video2(s->avctx, mjpeg_data, &s->mjpeg_data_size, avpkt);
+
+ /*use the last lot... */
+ *data_size = s->mjpeg_data_size;
avctx->pix_fmt = s->avctx->pix_fmt;
@@ -142,17 +144,19 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
avcodec_set_dimensions(avctx, mjpeg_data->width,
mjpeg_data->height / s->frames_per_jpeg);
- s->picture[1]->extended_data = NULL;
- s->picture[1]->width = avctx->width;
- s->picture[1]->height = avctx->height;
- s->picture[1]->format = avctx->pix_fmt;
- /* ff_init_buffer_info(avctx, &s->picture[1]); */
- smv_img_pnt(s->picture[1]->data, mjpeg_data->data, mjpeg_data->linesize,
- avctx->pix_fmt, avctx->width, avctx->height, cur_frame);
- for (i = 0; i < AV_NUM_DATA_POINTERS; i++)
- s->picture[1]->linesize[i] = mjpeg_data->linesize[i];
-
- ret = av_frame_ref(data, s->picture[1]);
+ if (*data_size) {
+ s->picture[1]->extended_data = NULL;
+ s->picture[1]->width = avctx->width;
+ s->picture[1]->height = avctx->height;
+ s->picture[1]->format = avctx->pix_fmt;
+ /* ff_init_buffer_info(avctx, &s->picture[1]); */
+ smv_img_pnt(s->picture[1]->data, mjpeg_data->data, mjpeg_data->linesize,
+ avctx->pix_fmt, avctx->width, avctx->height, cur_frame);
+ for (i = 0; i < AV_NUM_DATA_POINTERS; i++)
+ s->picture[1]->linesize[i] = mjpeg_data->linesize[i];
+
+ ret = av_frame_ref(data, s->picture[1]);
+ }
return ret;
}
More information about the ffmpeg-cvslog
mailing list