From 0f583d20d5ddcab34d8af76a597d5d6f1f19fece Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 13:50:44 +0200 Subject: [PATCH 1/2] mpeg12: fix the semantics of the int* parameter of decode() It is got_output, not data_size. --- libavcodec/mpeg12.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 035ee5661d..a9626c4026 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -2186,7 +2186,7 @@ int ff_mpeg1_find_frame_end(ParseContext *pc, const uint8_t *buf, int buf_size, } static int decode_chunks(AVCodecContext *avctx, - AVFrame *picture, int *data_size, + AVFrame *picture, int *got_output, const uint8_t *buf, int buf_size) { Mpeg1Context *s = avctx->priv_data; @@ -2215,7 +2215,7 @@ static int decode_chunks(AVCodecContext *avctx, if (slice_end(avctx, picture)) { if (s2->last_picture_ptr || s2->low_delay) //FIXME merge with the stuff in mpeg_decode_slice - *data_size = sizeof(AVPicture); + *got_output = 1; } } s2->pict_type = 0; @@ -2417,7 +2417,7 @@ static int decode_chunks(AVCodecContext *avctx, } static int mpeg_decode_frame(AVCodecContext *avctx, - void *data, int *data_size, + void *data, int *got_output, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; @@ -2433,7 +2433,7 @@ static int mpeg_decode_frame(AVCodecContext *avctx, *picture = s2->next_picture_ptr->f; s2->next_picture_ptr = NULL; - *data_size = sizeof(AVFrame); + *got_output = 1; } return buf_size; } @@ -2451,12 +2451,12 @@ static int mpeg_decode_frame(AVCodecContext *avctx, s->slice_count = 0; if (avctx->extradata && !avctx->frame_number) { - int ret = decode_chunks(avctx, picture, data_size, avctx->extradata, avctx->extradata_size); + int ret = decode_chunks(avctx, picture, got_output, avctx->extradata, avctx->extradata_size); if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) return ret; } - return decode_chunks(avctx, picture, data_size, buf, buf_size); + return decode_chunks(avctx, picture, got_output, buf, buf_size); } From 1a8c6917f68f7378465e18f7615762bfd22704c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jind=C5=99ich=20Makovi=C4=8Dka?= Date: Sat, 29 Sep 2012 11:16:45 +0200 Subject: [PATCH 2/2] h264: avoid stuck buffer pointer in decode_nal_units MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When decode_nal_units() previously encountered a NAL_END_SEQUENCE, and there are some junk bytes left in the input buffer, but no start codes, buf_index gets stuck 3 bytes before the end of the buffer. This can trigger an infinite loop in the caller code, eg. in try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes, with 3 bytes of the input packet still available. With this change, the remaining bytes are skipped so the whole packet gets consumed. CC:libav-stable@libav.org Signed-off-by: Jindřich Makovička Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 99cf5dc9f3..5de7f104ca 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3694,8 +3694,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) buf[buf_index + 2] == 1) break; - if (buf_index + 3 >= buf_size) + if (buf_index + 3 >= buf_size) { + buf_index = buf_size; break; + } buf_index += 3; if (buf_index >= next_avc)