Browse Source
vc1dec: do not allow field_mode to change after the first header
Fixes out of array accesses. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>tags/n1.1
Michael Niedermayer
13 years ago
3 changed files with 14 additions and 6 deletions
Unified View
Diff Options
-
+11 -6libavcodec/vc1.c
-
+1 -0libavcodec/vc1.h
-
+2 -0libavcodec/vc1dec.c
+ 11
- 6
libavcodec/vc1.c
View File
| @@ -834,6 +834,7 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) | |||||
| int status; | int status; | ||||
| int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */ | int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */ | ||||
| int scale, shift, i; /* for initializing LUT for intensity compensation */ | int scale, shift, i; /* for initializing LUT for intensity compensation */ | ||||
| int field_mode, fcm; | |||||
| v->numref=0; | v->numref=0; | ||||
| v->p_frame_skipped = 0; | v->p_frame_skipped = 0; | ||||
| @@ -848,19 +849,23 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) | |||||
| goto parse_common_info; | goto parse_common_info; | ||||
| } | } | ||||
| v->field_mode = 0; | |||||
| field_mode = 0; | |||||
| if (v->interlace) { | if (v->interlace) { | ||||
| v->fcm = decode012(gb); | |||||
| if (v->fcm) { | |||||
| if (v->fcm == ILACE_FIELD) | |||||
| v->field_mode = 1; | |||||
| fcm = decode012(gb); | |||||
| if (fcm) { | |||||
| if (fcm == ILACE_FIELD) | |||||
| field_mode = 1; | |||||
| if (!v->warn_interlaced++) | if (!v->warn_interlaced++) | ||||
| av_log(v->s.avctx, AV_LOG_ERROR, | av_log(v->s.avctx, AV_LOG_ERROR, | ||||
| "Interlaced frames/fields support is incomplete\n"); | "Interlaced frames/fields support is incomplete\n"); | ||||
| } | } | ||||
| } else { | } else { | ||||
| v->fcm = PROGRESSIVE; | |||||
| fcm = PROGRESSIVE; | |||||
| } | } | ||||
| if (!v->first_pic_header_flag && v->field_mode != field_mode) | |||||
| return -1; | |||||
| v->field_mode = field_mode; | |||||
| v->fcm = fcm; | |||||
| if (v->field_mode) { | if (v->field_mode) { | ||||
| v->fptype = get_bits(gb, 3); | v->fptype = get_bits(gb, 3); | ||||
+ 1
- 0
libavcodec/vc1.h
View File
| @@ -368,6 +368,7 @@ typedef struct VC1Context{ | |||||
| int qs_last; ///< if qpel has been used in the previous (tr.) picture | int qs_last; ///< if qpel has been used in the previous (tr.) picture | ||||
| int bmvtype; | int bmvtype; | ||||
| int frfd, brfd; ///< reference frame distance (forward or backward) | int frfd, brfd; ///< reference frame distance (forward or backward) | ||||
| int first_pic_header_flag; | |||||
| int pic_header_flag; | int pic_header_flag; | ||||
| /** Frame decoding info for sprite modes */ | /** Frame decoding info for sprite modes */ | ||||
+ 2
- 0
libavcodec/vc1dec.c
View File
| @@ -5516,6 +5516,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, | |||||
| // do parse frame header | // do parse frame header | ||||
| v->pic_header_flag = 0; | v->pic_header_flag = 0; | ||||
| v->first_pic_header_flag = 1; | |||||
| if (v->profile < PROFILE_ADVANCED) { | if (v->profile < PROFILE_ADVANCED) { | ||||
| if (ff_vc1_parse_frame_header(v, &s->gb) < 0) { | if (ff_vc1_parse_frame_header(v, &s->gb) < 0) { | ||||
| goto err; | goto err; | ||||
| @@ -5525,6 +5526,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, | |||||
| goto err; | goto err; | ||||
| } | } | ||||
| } | } | ||||
| v->first_pic_header_flag = 0; | |||||
| if (avctx->debug & FF_DEBUG_PICT_INFO) | if (avctx->debug & FF_DEBUG_PICT_INFO) | ||||
| av_log(v->s.avctx, AV_LOG_DEBUG, "pict_type: %c\n", av_get_picture_type_char(s->pict_type)); | av_log(v->s.avctx, AV_LOG_DEBUG, "pict_type: %c\n", av_get_picture_type_char(s->pict_type)); | ||||