[FFmpeg-devel] [PATCH] too late bounds check in mpeg1_decode_block_intra

Reimar Döffinger Reimar.Doeffinger
Thu Apr 10 17:35:03 CEST 2008


Hello,
someone on MPlayer-users seems to have problems due to this. While I
can't test myself, the code seems obviously wrong to me.
Attached is my suggestion to fix it, though there are other
possibilities, like increasing the size of intra_scantable.permutated
to 256 and maybe more.

Greetings,
Reimar D?ffinger
-------------- next part --------------
Index: libavcodec/mpeg12.c
===================================================================
--- libavcodec/mpeg12.c	(revision 12758)
+++ libavcodec/mpeg12.c	(working copy)
@@ -671,6 +671,10 @@
                 break;
             } else if(level != 0) {
                 i += run;
+                if (i > 63){
+                    av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                 j = scantable[i];
                 level= (level*qscale*quant_matrix[j])>>4;
                 level= (level-1)|1;
@@ -687,6 +691,10 @@
                     level = SHOW_UBITS(re, &s->gb, 8)      ; LAST_SKIP_BITS(re, &s->gb, 8);
                 }
                 i += run;
+                if (i > 63){
+                    av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                 j = scantable[i];
                 if(level<0){
                     level= -level;
@@ -698,10 +706,6 @@
                     level= (level-1)|1;
                 }
             }
-            if (i > 63){
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }
 
             block[j] = level;
         }



More information about the ffmpeg-devel mailing list