[FFmpeg-devel] [PATCH v13] libavcodec/jpeg2000dec.c: Add support for PPT marker

Tue Apr 7 17:28:04 EEST 2020

On Tue, Apr 07, 2020 at 01:16:02AM +0530, gautamramk at gmail.com wrote:
> From: Gautam Ramakrishnan <gautamramk at gmail.com>
> 
> This patch adds functional changes to support the
> PPT marker. This patch fixes bug ticket #4610.
> ---
>  libavcodec/jpeg2000dec.c | 85 ++++++++++++++++++++++++++++++++++------
>  1 file changed, 74 insertions(+), 11 deletions(-)
> 
> diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
> index 732d88e6fc..97c38ae5f7 100644
> --- a/libavcodec/jpeg2000dec.c
> +++ b/libavcodec/jpeg2000dec.c
> @@ -83,6 +83,10 @@ typedef struct Jpeg2000Tile {
>      Jpeg2000QuantStyle  qntsty[4];
>      Jpeg2000POC         poc;
>      Jpeg2000TilePart    tile_part[32];
> +    uint8_t             has_ppt;                // whether this tile has a ppt marker
> +    uint8_t             *packed_headers;        // contains packed headers. Used only along with PPT marker
> +    int                 packed_headers_size;    // size in bytes of the packed headers
> +    GetByteContext      packed_headers_stream;  // byte context corresponding to packed headers
>      uint16_t tp_idx;                    // Tile-part index
>      int coord[2][2];                    // border coordinates {{x0, x1}, {y0, y1}}
>  } Jpeg2000Tile;
> @@ -855,6 +859,34 @@ static int get_plt(Jpeg2000DecoderContext *s, int n)
>      return 0;
>  }
>  
> +static int get_ppt(Jpeg2000DecoderContext *s, int n)
> +{
> +    Jpeg2000Tile *tile;
> +
> +    if (s->curtileno < 0)
> +        return AVERROR_INVALIDDATA;
> +
> +    tile = &s->tile[s->curtileno];
> +    if (tile->tp_idx != 0) {
> +        av_log(s->avctx, AV_LOG_ERROR,
> +               "PPT marker can occur only on first tile part of a tile.\n");
> +        return AVERROR_INVALIDDATA;
> +    }
> +
> +    tile->has_ppt = 1;  // this tile has a ppt marker
> +    bytestream2_get_byte(&s->g); // Zppt is skipped and not used

> +    tile->packed_headers = av_realloc(tile->packed_headers,
> +                                      tile->packed_headers_size + n - 3);
> +    if (!tile->packed_headers)
> +        return AVERROR(ENOMEM);

packed_headers before this function may contain an allocated array
packed_headers_size would contain its number of elements

If there is insufficient memory left, av_realloc() could fail and
return NULL. That NULL would overwrite the pointer to the previous
packed_headers, so it could not be freed anymore and would leak

also what happens when n is smaller than 3 ?

thanks

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Frequently ignored answer#1 FFmpeg bugs should be sent to our bugtracker. User
questions about the command line tools should be sent to the ffmpeg-user ML.
And questions about how to use libav* should be sent to the libav-user ML.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200407/2d4ddfbe/attachment.sig>