diff options
| author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2016-02-26 00:11:12 +0100 |
|---|---|---|
| committer | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2016-02-28 13:32:01 +0100 |
| commit | 45fa03b1f9b0475df666f7592f250c37763b7d64 (patch) | |
| tree | 159bbe6c6a7d191310832cfdcfd505afa37db64b /libavcodec | |
| parent | 0f199f0ad01ea4504edcfd947c85cfa69292f881 (diff) | |
mjpegdec: Do not assume unused plane pointer are NULL.
We do neither document nor check such a requirement
and for application-provided get_buffer2 they could
contain the result of a malloc(0) or whatever value
they had previously.
This fixes a use-after-free in e.g. MPlayer:
https://trac.mplayerhq.hu/ticket/2262
We might want to consider changing the (documented)
API in addition though.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/mjpegdec.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 113022ffef..bd7fb94980 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2268,7 +2268,8 @@ the_end: avctx->pix_fmt == AV_PIX_FMT_GBRAP ); avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); - for (p = 0; p<4; p++) { + av_assert0(s->nb_components == av_pix_fmt_count_planes(s->picture_ptr->format)); + for (p = 0; p<s->nb_components; p++) { uint8_t *line = s->picture_ptr->data[p]; int w = s->width; int h = s->height; @@ -2326,7 +2327,8 @@ the_end: avctx->pix_fmt == AV_PIX_FMT_GBRAP ); avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); - for (p = 0; p < 4; p++) { + av_assert0(s->nb_components == av_pix_fmt_count_planes(s->picture_ptr->format)); + for (p = 0; p < s->nb_components; p++) { uint8_t *dst; int w = s->width; int h = s->height; @@ -2353,7 +2355,8 @@ the_end: if (s->flipped) { int j; avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); - for (index=0; index<4; index++) { + av_assert0(s->nb_components == av_pix_fmt_count_planes(s->picture_ptr->format)); + for (index=0; index<s->nb_components; index++) { uint8_t *dst = s->picture_ptr->data[index]; int w = s->picture_ptr->width; int h = s->picture_ptr->height; @@ -2375,6 +2378,7 @@ the_end: if (s->adobe_transform == 0 && s->avctx->pix_fmt == AV_PIX_FMT_GBRAP) { int w = s->picture_ptr->width; int h = s->picture_ptr->height; + av_assert0(s->nb_components == 4); for (i=0; i<h; i++) { int j; uint8_t *dst[4]; @@ -2397,6 +2401,7 @@ the_end: if (s->adobe_transform == 2 && s->avctx->pix_fmt == AV_PIX_FMT_YUVA444P) { int w = s->picture_ptr->width; int h = s->picture_ptr->height; + av_assert0(s->nb_components == 4); for (i=0; i<h; i++) { int j; uint8_t *dst[4]; |