virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

avcodec/mpeg4videodec: Check read profile before setting it

Browse Source 
Fixes: null pointer dereference
Fixes: ffmpeg_crash_7.avi

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2018-06-27 19:37:09 +02:00
parent 95556e27e2
commit 2aa9047486
1 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
libavcodec/mpeg4videodec.c
View File

@@ -1980,15 +1980,15 @@ static int mpeg4_decode_gop_header(MpegEncContext *s, GetBitContext *gb)
return 0; return 0;
} }
static int mpeg4_decode_profile_level(MpegEncContext *s, GetBitContext *gb) static int mpeg4_decode_profile_level(MpegEncContext *s, GetBitContext *gb, int *profile, int *level)
{ {
s->avctx->profile = get_bits(gb, 4); *profile = get_bits(gb, 4);
s->avctx->level = get_bits(gb, 4); *level = get_bits(gb, 4);
// for Simple profile, level 0 // for Simple profile, level 0
if (s->avctx->profile == 0 && s->avctx->level == 8) { if (*profile == 0 && *level == 8) {
s->avctx->level = 0; *level = 0;
} }
return 0; return 0;
@@ -3211,13 +3211,19 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)
} else if (startcode == GOP_STARTCODE) { } else if (startcode == GOP_STARTCODE) {
mpeg4_decode_gop_header(s, gb); mpeg4_decode_gop_header(s, gb);
} else if (startcode == VOS_STARTCODE) { } else if (startcode == VOS_STARTCODE) {
mpeg4_decode_profile_level(s, gb); int profile, level;
if (s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO && mpeg4_decode_profile_level(s, gb, &profile, &level);
(s->avctx->level > 0 && s->avctx->level < 9)) { if (profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO &&
(level > 0 && level < 9)) {
s->studio_profile = 1; s->studio_profile = 1;
next_start_code_studio(gb); next_start_code_studio(gb);
extension_and_user_data(s, gb, 0); extension_and_user_data(s, gb, 0);
} else if (s->studio_profile) {
avpriv_request_sample(s->avctx, "Mixes studio and non studio profile\n");
return AVERROR_PATCHWELCOME;
} }
s->avctx->profile = profile;
s->avctx->level = level;
} else if (startcode == VISUAL_OBJ_STARTCODE) { } else if (startcode == VISUAL_OBJ_STARTCODE) {
if (s->studio_profile) { if (s->studio_profile) {
if ((ret = decode_studiovisualobject(ctx, gb)) < 0) if ((ret = decode_studiovisualobject(ctx, gb)) < 0)
@@ -3238,6 +3244,7 @@ end:
s->avctx->has_b_frames = !s->low_delay; s->avctx->has_b_frames = !s->low_delay;
if (s->studio_profile) { if (s->studio_profile) {
av_assert0(s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO);
if (!s->avctx->bits_per_raw_sample) { if (!s->avctx->bits_per_raw_sample) {
av_log(s->avctx, AV_LOG_ERROR, "Missing VOL header\n"); av_log(s->avctx, AV_LOG_ERROR, "Missing VOL header\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;