On 31.12.2015 17:24, Michael Niedermayer wrote:
> On Thu, Dec 31, 2015 at 05:02:14PM +0100, Andreas Cadhalpun wrote:
>> On 30.12.2015 21:12, Andreas Cadhalpun wrote:
>>> It is read up to length s->width * stride, which can be larger than the
>>> linesize. (stride = (s->nb_components > 1) ? 3 : 1)
>>>
>>> This fixes an out of bounds read.
>>>
>>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>>> ---
>>> libavcodec/jpeglsdec.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
>>> index 68151cb..11ffe93 100644
>>> --- a/libavcodec/jpeglsdec.c
>>> +++ b/libavcodec/jpeglsdec.c
>>> @@ -348,7 +348,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int
>>> near,
>>> JLSState *state;
>>> int off = 0, stride = 1, width, shift, ret = 0;
>>>
>>> - zero = av_mallocz(s->picture_ptr->linesize[0]);
>>> + zero = av_mallocz(FFMAX(s->picture_ptr->linesize[0], s->width *
>>> ((s->nb_components > 1) ? 3 : 1)));
>>> if (!zero)
>>> return AVERROR(ENOMEM);
>>> last = zero;
>>>
>>
>> A better fix is to error out before this happens.
>> Patch doing that attached.
>>
>> Best regards,
>> Andreas
>
>> mjpegdec.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>> e4b9f65abd49be0714b6367f8530d1829102e6d8
>> 0001-mjpegdec-extend-check-for-incompatible-values-of-s-r.patch
>> From 637a849f80bff4acaa42afe8cb4d2dd60fc4248a Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> Date: Thu, 31 Dec 2015 16:55:43 +0100
>> Subject: [PATCH] mjpegdec: extend check for incompatible values of s->rgb and
>> s->ls
>>
>> This can happen if s->ls changes from 0 to 1, but picture allocation is
>> skipped due to s->interlaced.
>>
>> In that case ff_jpegls_decode_picture could be called even though the
>> s->picture_ptr frame has the wrong pixel format and thus a wrong
>> linesize, which results in a too small zero buffer being allocated.
>>
>> This fixes an out-of-bounds read in ls_decode_line.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>> libavcodec/mjpegdec.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
>> index c812b86..c730e05 100644
>> --- a/libavcodec/mjpegdec.c
>> +++ b/libavcodec/mjpegdec.c
>> @@ -632,7 +632,8 @@ unk_pixfmt:
>> av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d)
>> mismatch\n", len);
>> }
>>
>> - if (s->rgb && !s->lossless && !s->ls) {
>> + if ((s->rgb && !s->lossless && !s->ls) ||
>> + (!s->rgb && s->ls && s->nb_components > 1)) {
>> av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format
>> combination\n");
>> return AVERROR_PATCHWELCOME;
>
> LGTM
Pushed.
Best regards,
Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
