Browse Source
vc1dec: Do not allow field_mode to change after the first header
This fixes out of array accesses. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Martin Storsjö <martin@martin.st>tags/n2.0
Michael Niedermayer
Martin Storsjö
13 years ago
3 changed files with 14 additions and 6 deletions
Unified View
Diff Options
-
+11 -6libavcodec/vc1.c
-
+1 -0libavcodec/vc1.h
-
+2 -0libavcodec/vc1dec.c
+ 11
- 6
libavcodec/vc1.c
View File
| @@ -825,6 +825,7 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) | |||||
| int status; | int status; | ||||
| int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */ | int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */ | ||||
| int scale, shift, i; /* for initializing LUT for intensity compensation */ | int scale, shift, i; /* for initializing LUT for intensity compensation */ | ||||
| int field_mode, fcm; | |||||
| v->p_frame_skipped = 0; | v->p_frame_skipped = 0; | ||||
| if (v->second_field) { | if (v->second_field) { | ||||
| @@ -836,19 +837,23 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) | |||||
| goto parse_common_info; | goto parse_common_info; | ||||
| } | } | ||||
| v->field_mode = 0; | |||||
| field_mode = 0; | |||||
| if (v->interlace) { | if (v->interlace) { | ||||
| v->fcm = decode012(gb); | |||||
| if (v->fcm) { | |||||
| if (v->fcm == ILACE_FIELD) | |||||
| v->field_mode = 1; | |||||
| fcm = decode012(gb); | |||||
| if (fcm) { | |||||
| if (fcm == ILACE_FIELD) | |||||
| field_mode = 1; | |||||
| if (!v->warn_interlaced++) | if (!v->warn_interlaced++) | ||||
| av_log(v->s.avctx, AV_LOG_ERROR, | av_log(v->s.avctx, AV_LOG_ERROR, | ||||
| "Interlaced frames/fields support is incomplete\n"); | "Interlaced frames/fields support is incomplete\n"); | ||||
| } | } | ||||
| } else { | } else { | ||||
| v->fcm = PROGRESSIVE; | |||||
| fcm = PROGRESSIVE; | |||||
| } | } | ||||
| if (!v->first_pic_header_flag && v->field_mode != field_mode) | |||||
| return AVERROR_INVALIDDATA; | |||||
| v->field_mode = field_mode; | |||||
| v->fcm = fcm; | |||||
| if (v->field_mode) { | if (v->field_mode) { | ||||
| v->fptype = get_bits(gb, 3); | v->fptype = get_bits(gb, 3); | ||||
+ 1
- 0
libavcodec/vc1.h
View File
| @@ -372,6 +372,7 @@ typedef struct VC1Context{ | |||||
| int qs_last; ///< if qpel has been used in the previous (tr.) picture | int qs_last; ///< if qpel has been used in the previous (tr.) picture | ||||
| int bmvtype; | int bmvtype; | ||||
| int frfd, brfd; ///< reference frame distance (forward or backward) | int frfd, brfd; ///< reference frame distance (forward or backward) | ||||
| int first_pic_header_flag; | |||||
| int pic_header_flag; | int pic_header_flag; | ||||
| /** Frame decoding info for sprite modes */ | /** Frame decoding info for sprite modes */ | ||||
+ 2
- 0
libavcodec/vc1dec.c
View File
| @@ -5463,6 +5463,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, | |||||
| // do parse frame header | // do parse frame header | ||||
| v->pic_header_flag = 0; | v->pic_header_flag = 0; | ||||
| v->first_pic_header_flag = 1; | |||||
| if (v->profile < PROFILE_ADVANCED) { | if (v->profile < PROFILE_ADVANCED) { | ||||
| if (ff_vc1_parse_frame_header(v, &s->gb) < 0) { | if (ff_vc1_parse_frame_header(v, &s->gb) < 0) { | ||||
| goto err; | goto err; | ||||
| @@ -5472,6 +5473,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, | |||||
| goto err; | goto err; | ||||
| } | } | ||||
| } | } | ||||
| v->first_pic_header_flag = 0; | |||||
| if ((avctx->codec_id == AV_CODEC_ID_WMV3IMAGE || avctx->codec_id == AV_CODEC_ID_VC1IMAGE) | if ((avctx->codec_id == AV_CODEC_ID_WMV3IMAGE || avctx->codec_id == AV_CODEC_ID_VC1IMAGE) | ||||
| && s->pict_type != AV_PICTURE_TYPE_I) { | && s->pict_type != AV_PICTURE_TYPE_I) { | ||||