[FFmpeg-cvslog] mjpegdec: consider chroma subsampling in size check
ffmpeg | branch: release/2.6 | Andreas Cadhalpun
| Wed Dec 2 21:52:23 2015 +0100|
[a90967013b1c2519cd7f7969ba29562cf37565c4] | committer: Andreas Cadhalpun
mjpegdec: consider chroma subsampling in size check
If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.
This fixes out of bounds writes causing segmentation faults or memory
corruption.
Reviewed-by: Michael Niedermayer
Signed-off-by: Andreas Cadhalpun
(cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32)
Signed-off-by: Andreas Cadhalpun
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a90967013b1c2519cd7f7969ba29562cf37565c4
---
libavcodec/mjpegdec.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 42767bc..8a190fc 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1219,7 +1219,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
int mb_bitmask_size,
const AVFrame *reference)
{
-int i, mb_x, mb_y;
+int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width,
chroma_height;
uint8_t *data[MAX_COMPONENTS];
const uint8_t *reference_data[MAX_COMPONENTS];
int linesize[MAX_COMPONENTS];
@@ -1236,6 +1236,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
s->restart_count = 0;
+av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift,
+ &chroma_v_shift);
+chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift);
+chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift);
+
for (i = 0; i < nb_components; i++) {
int c = s->comp_index[i];
data[c] = s->picture_ptr->data[c];
@@ -1272,8 +1277,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
-if ( 8*(h * mb_x + x) < s->width
-&& 8*(v * mb_y + y) < s->height) {
+if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ?
chroma_width : s->width)
+&& 8*(v * mb_y + y) < ((c == 1) || (c == 2) ?
chroma_height : s->height)) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] mjpegdec: consider chroma subsampling in size check
ffmpeg | branch: release/2.7 | Andreas Cadhalpun
| Wed Dec 2 21:52:23 2015 +0100|
[9a8d2f51cf0548aa3724e2a46e58416b333c755f] | committer: Michael Niedermayer
mjpegdec: consider chroma subsampling in size check
If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.
This fixes out of bounds writes causing segmentation faults or memory
corruption.
Reviewed-by: Michael Niedermayer
Signed-off-by: Andreas Cadhalpun
(cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a8d2f51cf0548aa3724e2a46e58416b333c755f
---
libavcodec/mjpegdec.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 30fc99a..48f5ca4 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1241,7 +1241,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
int mb_bitmask_size,
const AVFrame *reference)
{
-int i, mb_x, mb_y;
+int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width,
chroma_height;
uint8_t *data[MAX_COMPONENTS];
const uint8_t *reference_data[MAX_COMPONENTS];
int linesize[MAX_COMPONENTS];
@@ -1258,6 +1258,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
s->restart_count = 0;
+av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift,
+ &chroma_v_shift);
+chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift);
+chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift);
+
for (i = 0; i < nb_components; i++) {
int c = s->comp_index[i];
data[c] = s->picture_ptr->data[c];
@@ -1294,8 +1299,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
-if ( 8*(h * mb_x + x) < s->width
-&& 8*(v * mb_y + y) < s->height) {
+if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ?
chroma_width : s->width)
+&& 8*(v * mb_y + y) < ((c == 1) || (c == 2) ?
chroma_height : s->height)) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] mjpegdec: consider chroma subsampling in size check
ffmpeg | branch: release/2.8 | Andreas Cadhalpun
| Wed Dec 2 21:52:23 2015 +0100|
[2e54b8c379bad54599f82d63de26af7c934ccff6] | committer: Michael Niedermayer
mjpegdec: consider chroma subsampling in size check
If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.
This fixes out of bounds writes causing segmentation faults or memory
corruption.
Reviewed-by: Michael Niedermayer
Signed-off-by: Andreas Cadhalpun
(cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2e54b8c379bad54599f82d63de26af7c934ccff6
---
libavcodec/mjpegdec.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 6c6598f..3f81fdf 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1246,7 +1246,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
int mb_bitmask_size,
const AVFrame *reference)
{
-int i, mb_x, mb_y;
+int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width,
chroma_height;
uint8_t *data[MAX_COMPONENTS];
const uint8_t *reference_data[MAX_COMPONENTS];
int linesize[MAX_COMPONENTS];
@@ -1263,6 +1263,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
s->restart_count = 0;
+av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift,
+ &chroma_v_shift);
+chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift);
+chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift);
+
for (i = 0; i < nb_components; i++) {
int c = s->comp_index[i];
data[c] = s->picture_ptr->data[c];
@@ -1299,8 +1304,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
-if ( 8*(h * mb_x + x) < s->width
-&& 8*(v * mb_y + y) < s->height) {
+if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ?
chroma_width : s->width)
+&& 8*(v * mb_y + y) < ((c == 1) || (c == 2) ?
chroma_height : s->height)) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] mjpegdec: consider chroma subsampling in size check
ffmpeg | branch: release/2.4 | Andreas Cadhalpun
| Wed Dec 2 21:52:23 2015 +0100|
[073fcfe35800d0ad400dd1668727e3741e2a6a34] | committer: Michael Niedermayer
mjpegdec: consider chroma subsampling in size check
If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.
This fixes out of bounds writes causing segmentation faults or memory
corruption.
Reviewed-by: Michael Niedermayer
Signed-off-by: Andreas Cadhalpun
(cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=073fcfe35800d0ad400dd1668727e3741e2a6a34
---
libavcodec/mjpegdec.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 59cbd25..c984766 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1197,7 +1197,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
int mb_bitmask_size,
const AVFrame *reference)
{
-int i, mb_x, mb_y;
+int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width,
chroma_height;
uint8_t *data[MAX_COMPONENTS];
const uint8_t *reference_data[MAX_COMPONENTS];
int linesize[MAX_COMPONENTS];
@@ -1214,6 +1214,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
s->restart_count = 0;
+av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift,
+ &chroma_v_shift);
+chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift);
+chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift);
+
for (i = 0; i < nb_components; i++) {
int c = s->comp_index[i];
data[c] = s->picture_ptr->data[c];
@@ -1250,8 +1255,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
-if ( 8*(h * mb_x + x) < s->width
-&& 8*(v * mb_y + y) < s->height) {
+if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ?
chroma_width : s->width)
+&& 8*(v * mb_y + y) < ((c == 1) || (c == 2) ?
chroma_height : s->height)) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] mjpegdec: consider chroma subsampling in size check
ffmpeg | branch: release/2.5 | Andreas Cadhalpun
| Wed Dec 2 21:52:23 2015 +0100|
[d52b5f85f2837b0de9bdefe2a650d8d1b0e02ec1] | committer: Michael Niedermayer
mjpegdec: consider chroma subsampling in size check
If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.
This fixes out of bounds writes causing segmentation faults or memory
corruption.
Reviewed-by: Michael Niedermayer
Signed-off-by: Andreas Cadhalpun
(cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d52b5f85f2837b0de9bdefe2a650d8d1b0e02ec1
---
libavcodec/mjpegdec.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index a1141e7..d2624f0 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1222,7 +1222,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
int mb_bitmask_size,
const AVFrame *reference)
{
-int i, mb_x, mb_y;
+int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width,
chroma_height;
uint8_t *data[MAX_COMPONENTS];
const uint8_t *reference_data[MAX_COMPONENTS];
int linesize[MAX_COMPONENTS];
@@ -1239,6 +1239,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
s->restart_count = 0;
+av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift,
+ &chroma_v_shift);
+chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift);
+chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift);
+
for (i = 0; i < nb_components; i++) {
int c = s->comp_index[i];
data[c] = s->picture_ptr->data[c];
@@ -1275,8 +1280,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
-if ( 8*(h * mb_x + x) < s->width
-&& 8*(v * mb_y + y) < s->height) {
+if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ?
chroma_width : s->width)
+&& 8*(v * mb_y + y) < ((c == 1) || (c == 2) ?
chroma_height : s->height)) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] mjpegdec: consider chroma subsampling in size check
ffmpeg | branch: master | Andreas Cadhalpun
| Wed Dec 2 21:52:23 2015 +0100| [5adb5d9d894aa495e7bf9557b4c78350cbfc9d32] |
committer: Andreas Cadhalpun
mjpegdec: consider chroma subsampling in size check
If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.
This fixes out of bounds writes causing segmentation faults or memory
corruption.
Reviewed-by: Michael Niedermayer
Signed-off-by: Andreas Cadhalpun
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5adb5d9d894aa495e7bf9557b4c78350cbfc9d32
---
libavcodec/mjpegdec.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 4c9c82d..c812b86 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1246,7 +1246,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
int mb_bitmask_size,
const AVFrame *reference)
{
-int i, mb_x, mb_y;
+int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width,
chroma_height;
uint8_t *data[MAX_COMPONENTS];
const uint8_t *reference_data[MAX_COMPONENTS];
int linesize[MAX_COMPONENTS];
@@ -1263,6 +1263,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
s->restart_count = 0;
+av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift,
+ &chroma_v_shift);
+chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift);
+chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift);
+
for (i = 0; i < nb_components; i++) {
int c = s->comp_index[i];
data[c] = s->picture_ptr->data[c];
@@ -1299,8 +1304,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int
nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
-if ( 8*(h * mb_x + x) < s->width
-&& 8*(v * mb_y + y) < s->height) {
+if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ?
chroma_width : s->width)
+&& 8*(v * mb_y + y) < ((c == 1) || (c == 2) ?
chroma_height : s->height)) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
