On Tue, Apr 07, 2020 at 01:16:02AM +0530, gautamr...@gmail.com wrote: > From: Gautam Ramakrishnan <gautamr...@gmail.com> > > This patch adds functional changes to support the > PPT marker. This patch fixes bug ticket #4610. > --- > libavcodec/jpeg2000dec.c | 85 ++++++++++++++++++++++++++++++++++------ > 1 file changed, 74 insertions(+), 11 deletions(-) > > diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c > index 732d88e6fc..97c38ae5f7 100644 > --- a/libavcodec/jpeg2000dec.c > +++ b/libavcodec/jpeg2000dec.c > @@ -83,6 +83,10 @@ typedef struct Jpeg2000Tile { > Jpeg2000QuantStyle qntsty[4]; > Jpeg2000POC poc; > Jpeg2000TilePart tile_part[32]; > + uint8_t has_ppt; // whether this tile has a > ppt marker > + uint8_t *packed_headers; // contains packed headers. > Used only along with PPT marker > + int packed_headers_size; // size in bytes of the > packed headers > + GetByteContext packed_headers_stream; // byte context > corresponding to packed headers > uint16_t tp_idx; // Tile-part index > int coord[2][2]; // border coordinates {{x0, x1}, > {y0, y1}} > } Jpeg2000Tile; > @@ -855,6 +859,34 @@ static int get_plt(Jpeg2000DecoderContext *s, int n) > return 0; > } > > +static int get_ppt(Jpeg2000DecoderContext *s, int n) > +{ > + Jpeg2000Tile *tile; > + > + if (s->curtileno < 0) > + return AVERROR_INVALIDDATA; > + > + tile = &s->tile[s->curtileno]; > + if (tile->tp_idx != 0) { > + av_log(s->avctx, AV_LOG_ERROR, > + "PPT marker can occur only on first tile part of a tile.\n"); > + return AVERROR_INVALIDDATA; > + } > + > + tile->has_ppt = 1; // this tile has a ppt marker > + bytestream2_get_byte(&s->g); // Zppt is skipped and not used
> + tile->packed_headers = av_realloc(tile->packed_headers, > + tile->packed_headers_size + n - 3); > + if (!tile->packed_headers) > + return AVERROR(ENOMEM); packed_headers before this function may contain an allocated array packed_headers_size would contain its number of elements If there is insufficient memory left, av_realloc() could fail and return NULL. That NULL would overwrite the pointer to the previous packed_headers, so it could not be freed anymore and would leak also what happens when n is smaller than 3 ? thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Frequently ignored answer#1 FFmpeg bugs should be sent to our bugtracker. User questions about the command line tools should be sent to the ffmpeg-user ML. And questions about how to use libav* should be sent to the libav-user ML.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".