From e268a352af893e47bd3ea2aed90761cb0b4feca7 Mon Sep 17 00:00:00 2001
From: Janne Grunau <janne-libav@jannau.net>
Date: Thu, 5 Jan 2012 03:47:21 +0100
Subject: [PATCH] mjpegdec: parse RSTn to prevent skipping other data in
mjpeg_decode_scan
Check explicitly if enough bits are left to prevent an infinite loop
when the bitstream buffer is not followed by zero-padding.
Based on patches by Michael Niedermayer <michaelni@gmx.at>.
---
libavcodec/mjpegdec.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 058b08fa83c..7a85c16d954 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -881,14 +881,22 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
}
}
- if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */
- --s->restart_count;
- align_get_bits(&s->gb);
- while(show_bits(&s->gb, 8) == 0xFF)
- skip_bits(&s->gb, 8);
- skip_bits(&s->gb, 8);
- for (i=0; i<nb_components; i++) /* reset dc */
- s->last_dc[i] = 1024;
+ if (s->restart_interval) {
+ s->restart_count--;
+ i = 8 + ((-get_bits_count(&s->gb)) & 7);
+ /* skip RSTn */
+ if (show_bits(&s->gb, i) == (1 << i) - 1) {
+ int pos = get_bits_count(&s->gb);
+ align_get_bits(&s->gb);
+ while (get_bits_left(&s->gb) >= 8 && show_bits(&s->gb, 8) == 0xFF)
+ skip_bits(&s->gb, 8);
+ if ((get_bits(&s->gb, 8) & 0xF8) == 0xD0) {
+ for (i = 0; i < nb_components; i++) /* reset dc */
+ s->last_dc[i] = 1024;
+ } else {
+ skip_bits_long(&s->gb, pos - get_bits_count(&s->gb));
+ }
+ }
}
}
}
--
GitLab