[FFmpeg-devel] [PATCH] too late bounds check in mpeg1_decode_block_intra
Reimar Döffinger
Reimar.Doeffinger
Thu Apr 10 17:35:03 CEST 2008
Hello,
someone on MPlayer-users seems to have problems due to this. While I
can't test myself, the code seems obviously wrong to me.
Attached is my suggestion to fix it, though there are other
possibilities, like increasing the size of intra_scantable.permutated
to 256 and maybe more.
Greetings,
Reimar D?ffinger
-------------- next part --------------
Index: libavcodec/mpeg12.c
===================================================================
--- libavcodec/mpeg12.c (revision 12758)
+++ libavcodec/mpeg12.c (working copy)
@@ -671,6 +671,10 @@
break;
} else if(level != 0) {
i += run;
+ if (i > 63){
+ av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+ return -1;
+ }
j = scantable[i];
level= (level*qscale*quant_matrix[j])>>4;
level= (level-1)|1;
@@ -687,6 +691,10 @@
level = SHOW_UBITS(re, &s->gb, 8) ; LAST_SKIP_BITS(re, &s->gb, 8);
}
i += run;
+ if (i > 63){
+ av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+ return -1;
+ }
j = scantable[i];
if(level<0){
level= -level;
@@ -698,10 +706,6 @@
level= (level-1)|1;
}
}
- if (i > 63){
- av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
- return -1;
- }
block[j] = level;
}
More information about the ffmpeg-devel
mailing list