From 7a62ddb6895f29ff56f65429fdda0bdde4e30265 Mon Sep 17 00:00:00 2001 From: Reimar Döffinger Date: Sat, 5 Nov 2011 22:26:42 +0100 Subject: rtjpeg: check get_block return value for error. This avoids crashes due to reading out-of-bounds. Signed-off-by: Anton Khirnov --- libavcodec/rtjpeg.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) (limited to 'libavcodec/rtjpeg.c') diff --git a/libavcodec/rtjpeg.c b/libavcodec/rtjpeg.c index 8d1f28a436..dac7993955 100644 --- a/libavcodec/rtjpeg.c +++ b/libavcodec/rtjpeg.c @@ -114,24 +114,25 @@ int rtjpeg_decode_frame_yuv420(RTJpegContext *c, AVFrame *f, init_get_bits(&gb, buf, buf_size * 8); for (y = 0; y < h; y++) { for (x = 0; x < w; x++) { +#define BLOCK(quant, dst, stride) do { \ + int res = get_block(&gb, block, c->scan, quant); \ + if (res < 0) \ + return res; \ + if (res > 0) \ + c->dsp->idct_put(dst, stride, block); \ +} while (0) DCTELEM *block = c->block; - if (get_block(&gb, block, c->scan, c->lquant) > 0) - c->dsp->idct_put(y1, f->linesize[0], block); + BLOCK(c->lquant, y1, f->linesize[0]); y1 += 8; - if (get_block(&gb, block, c->scan, c->lquant) > 0) - c->dsp->idct_put(y1, f->linesize[0], block); + BLOCK(c->lquant, y1, f->linesize[0]); y1 += 8; - if (get_block(&gb, block, c->scan, c->lquant) > 0) - c->dsp->idct_put(y2, f->linesize[0], block); + BLOCK(c->lquant, y2, f->linesize[0]); y2 += 8; - if (get_block(&gb, block, c->scan, c->lquant) > 0) - c->dsp->idct_put(y2, f->linesize[0], block); + BLOCK(c->lquant, y2, f->linesize[0]); y2 += 8; - if (get_block(&gb, block, c->scan, c->cquant) > 0) - c->dsp->idct_put(u, f->linesize[1], block); + BLOCK(c->cquant, u, f->linesize[1]); u += 8; - if (get_block(&gb, block, c->scan, c->cquant) > 0) - c->dsp->idct_put(v, f->linesize[2], block); + BLOCK(c->cquant, v, f->linesize[2]); v += 8; } y1 += 2 * 8 * (f->linesize[0] - w); -- cgit v1.2.3