diff options
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/avcodec.h | 7 | ||||
| -rw-r--r-- | libavcodec/mpeg12.c | 22 |
2 files changed, 22 insertions, 7 deletions
diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index ee1460727f..49a2ebdeb4 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -118,8 +118,11 @@ enum SampleFormat { #define AVCODEC_MAX_AUDIO_FRAME_SIZE 131072 /** - * Required number of zero bytes at the end of the input bitstream for decoding. - * to avoid overreading (and possibly segfaulting) + * Required number of additionally allocated bytes at the end of the input bitstream for decoding. + * this is mainly needed because some optimized bitstream readers read + * 32 or 64 bit at once and could read over the end<br> + * Note, if the first 23 bits of the additional bytes are not 0 then damaged + * MPEG bitstreams could cause overread and segfault */ #define FF_INPUT_BUFFER_PADDING_SIZE 8 diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index a519fd9207..c31a711c7c 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1934,6 +1934,17 @@ static int mpeg_decode_slice(AVCodecContext *avctx, s->mb_x = 0; s->mb_y++; + + if(s->mb_y<<field_pic >= s->mb_height){ + int left= s->gb.size_in_bits - get_bits_count(&s->gb); + + if(left < 0 || (left && show_bits(&s->gb, FFMIN(left, 23))) + || (avctx->error_resilience >= FF_ER_AGGRESSIVE && left>8)){ + fprintf(stderr, "end missmatch left=%d\n", left); + return -1; + }else + goto eos; + } } /* skip mb handling */ @@ -1963,10 +1974,6 @@ static int mpeg_decode_slice(AVCodecContext *avctx, } } } - if(s->mb_y<<field_pic >= s->mb_height){ - fprintf(stderr, "slice too long\n"); - return -1; - } } eos: // end of slice *buf += get_bits_count(&s->gb)/8 - 1; @@ -2248,9 +2255,14 @@ static int mpeg_decode_frame(AVCodecContext *avctx, } return FFMAX(0, buf_ptr - buf - s2->parse_context.last_index); } + + input_size = buf_end - buf_ptr; + + if(avctx->debug & FF_DEBUG_STARTCODE){ + printf("%3X at %d left %d\n", start_code, buf_ptr-buf, input_size); + } /* prepare data for next start code */ - input_size = buf_end - buf_ptr; switch(start_code) { case SEQ_START_CODE: mpeg1_decode_sequence(avctx, buf_ptr, |