[FFmpeg-devel] [PATCH] Fix crash in MJEG decoder

Diego Santa Cruz Diego.SantaCruz
Mon Jun 30 08:50:19 CEST 2008

> -----Original Message-----
> From: ffmpeg-devel-bounces at mplayerhq.hu [mailto:ffmpeg-devel-
> bounces at mplayerhq.hu] On Behalf Of Stefan Gehrer
> Sent: Friday, June 27, 2008 8:43 PM
> To: FFmpeg development discussions and patches
> Subject: Re: [FFmpeg-devel] [PATCH] Fix crash in MJEG decoder
> Diego Santa Cruz wrote:
> > Hi there,
> >
> > I have a JPEG file which segfaults the MJPEG decoder.
> >
> > This file has 4 color components (YCCK I believe, color transform 2
> in the Adobe APP14 marker) with no subsampling.
> >
> > The problem is that ff_mjpeg_decode_sof() sets the pixel format to
> PIX_FMT_GRAY8 and thus allocates only one component. Then
> mjpeg_decode_scan() decodes the MBs and tries to perform the IDCT on a
> non-allocated component which triggers a segfault.
> >
> > The attached patch fixes the problem by simply skipping the IDCT
> step in mjpeg_decode_scan() when the corresponding component is not
> allocated.
> >
> > The decoded image will not be correct anyhow, but it can be
> considered a best attempt to decode an unhandled color space and
> prevents ffmpeg from crashing.
> >
> > Tested on SVN HEAD with
> >
> > ffmpeg -i celgene.jpg test.avi
> >
> > I can provide the troublesome file if required (680K).
> >
> > Comments welcome.
> I think it would be nicer to adjust the value of nb_components outside
> of the macroblock loop instead of checking the pointers for validity
> inside it.

My knowledge of JPEG is a bit rusty, but I think you still need to
decode all the MBs to properly advance in the bitstream, so that's why
only the IDCT part is skipped. Note also that is not necessarily the
first appearing component that is kept. 

More information about the ffmpeg-devel mailing list