[FFmpeg-devel] [PATCH]Fix progressive jpgs with weird pix_fmts
Carl Eugen Hoyos
cehoyos at ag.or.at
Sat Jan 7 12:26:29 CET 2012
Hi!
On Saturday 07 January 2012 03:27:52 am Michael Niedermayer wrote:
> On Sat, Jan 07, 2012 at 03:17:36AM +0100, Carl Eugen Hoyos wrote:
> > On Saturday 07 January 2012 02:59:06 am Michael Niedermayer wrote:
> > > > Attached fixes the samples from ticket #892 for me.
> > > >
> > > > Please comment, Carl Eugen
> > >
> > > reset upscale* otherwise this is possibly exploitable if the width or
> > > height or "pix_fmt" changes
> >
> > As in attached?
>
> not enough
>
> 1st frame sets upscale_h
> 2nd frame changes width/height and branches via -1 from
> ff_mjpeg_find_marker to the_end
Iiuc, width/height can only be set in ff_mjpeg_decode_sof(), so new patch
resets the value at the beginning of this function.
> also wherever the variables are reset i suggest that a av_assert0 is
> added to make sure the pixel format matches the expectation that is
> theres enough space for chroma
I don't understand:
If the variables are reset (to 0), the code that may overwrite chroma /
corrupt memory is not called, the variables are set together with the pix_fmt.
Only s->ls change the pix_fmt later, upscale now also gets reset in this case.
New patch attached, Carl Eugen
-------------- next part --------------
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 58bbd63..8c2cc6b 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -217,6 +217,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
int len, nb_components, i, width, height, pix_fmt_id;
s->cur_scan = 0;
+ s->upscale_h = s->upscale_v = 0;
/* XXX: verify len field validity */
len = get_bits(&s->gb, 16);
@@ -393,6 +394,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
return -1;
}
if(s->ls){
+ s->upscale_h = s->upscale_v = 0;
if(s->nb_components > 1)
s->avctx->pix_fmt = PIX_FMT_RGB24;
else if(s->bits <= 8)
@@ -1173,28 +1175,6 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s,
return -1;
}
}
- if (s->upscale_h) {
- uint8_t *line = s->picture_ptr->data[s->upscale_h];
- for (i = 0; i < s->chroma_height; i++) {
- for (index = s->width - 1; index; index--)
- line[index] = (line[index / 2] + line[(index + 1) / 2]) >> 1;
- line += s->linesize[s->upscale_h];
- }
- }
- if (s->upscale_v) {
- uint8_t *dst = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(s->height - 1) * s->linesize[s->upscale_v]];
- for (i = s->height - 1; i; i--) {
- uint8_t *src1 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[i / 2 * s->linesize[s->upscale_v]];
- uint8_t *src2 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(i + 1) / 2 * s->linesize[s->upscale_v]];
- if (src1 == src2) {
- memcpy(dst, src1, s->width);
- } else {
- for (index = 0; index < s->width; index++)
- dst[index] = (src1[index] + src2[index]) >> 1;
- }
- dst -= s->linesize[s->upscale_v];
- }
- }
emms_c();
return 0;
out_of_range:
@@ -1524,7 +1504,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx,
AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
- int buf_size = avpkt->size;
+ int i, index, buf_size = avpkt->size;
MJpegDecodeContext *s = avctx->priv_data;
const uint8_t *buf_end, *buf_ptr;
const uint8_t *unescaped_buf_ptr;
@@ -1683,6 +1663,28 @@ eoi_parser:
av_log(avctx, AV_LOG_FATAL, "No JPEG data found in image\n");
return -1;
the_end:
+ if (s->upscale_h) {
+ uint8_t *line = s->picture_ptr->data[s->upscale_h];
+ for (i = 0; i < s->chroma_height; i++) {
+ for (index = s->width - 1; index; index--)
+ line[index] = (line[index / 2] + line[(index + 1) / 2]) >> 1;
+ line += s->linesize[s->upscale_h];
+ }
+ }
+ if (s->upscale_v) {
+ uint8_t *dst = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(s->height - 1) * s->linesize[s->upscale_v]];
+ for (i = s->height - 1; i; i--) {
+ uint8_t *src1 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[i / 2 * s->linesize[s->upscale_v]];
+ uint8_t *src2 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(i + 1) / 2 * s->linesize[s->upscale_v]];
+ if (src1 == src2) {
+ memcpy(dst, src1, s->width);
+ } else {
+ for (index = 0; index < s->width; index++)
+ dst[index] = (src1[index] + src2[index]) >> 1;
+ }
+ dst -= s->linesize[s->upscale_v];
+ }
+ }
av_log(avctx, AV_LOG_DEBUG, "mjpeg decode frame unused %td bytes\n", buf_end - buf_ptr);
// return buf_end - buf_ptr;
return buf_ptr - buf;
More information about the ffmpeg-devel
mailing list