From 4e6413c67d3f80d24db2caa9ce5f030225e67e2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Sat, 5 Nov 2011 22:26:42 +0100
Subject: [PATCH] rtjpeg: check get_block return value for error.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This avoids crashes due to reading out-of-bounds.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
---
libavcodec/rtjpeg.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/libavcodec/rtjpeg.c b/libavcodec/rtjpeg.c
index 1827c9111b9..07e4f02e675 100644
--- a/libavcodec/rtjpeg.c
+++ b/libavcodec/rtjpeg.c
@@ -114,24 +114,25 @@ int rtjpeg_decode_frame_yuv420(RTJpegContext *c, AVFrame *f,
init_get_bits(&gb, buf, buf_size * 8);
for (y = 0; y < h; y++) {
for (x = 0; x < w; x++) {
+#define BLOCK(quant, dst, stride) do { \
+ int res = get_block(&gb, block, c->scan, quant); \
+ if (res < 0) \
+ return res; \
+ if (res > 0) \
+ c->dsp->idct_put(dst, stride, block); \
+} while (0)
DCTELEM *block = c->block;
- if (get_block(&gb, block, c->scan, c->lquant) > 0)
- c->dsp->idct_put(y1, f->linesize[0], block);
+ BLOCK(c->lquant, y1, f->linesize[0]);
y1 += 8;
- if (get_block(&gb, block, c->scan, c->lquant) > 0)
- c->dsp->idct_put(y1, f->linesize[0], block);
+ BLOCK(c->lquant, y1, f->linesize[0]);
y1 += 8;
- if (get_block(&gb, block, c->scan, c->lquant) > 0)
- c->dsp->idct_put(y2, f->linesize[0], block);
+ BLOCK(c->lquant, y2, f->linesize[0]);
y2 += 8;
- if (get_block(&gb, block, c->scan, c->lquant) > 0)
- c->dsp->idct_put(y2, f->linesize[0], block);
+ BLOCK(c->lquant, y2, f->linesize[0]);
y2 += 8;
- if (get_block(&gb, block, c->scan, c->cquant) > 0)
- c->dsp->idct_put(u, f->linesize[1], block);
+ BLOCK(c->cquant, u, f->linesize[1]);
u += 8;
- if (get_block(&gb, block, c->scan, c->cquant) > 0)
- c->dsp->idct_put(v, f->linesize[2], block);
+ BLOCK(c->cquant, v, f->linesize[2]);
v += 8;
}
y1 += 2 * 8 * (f->linesize[0] - w);
--
GitLab