1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-28 20:53:54 +02:00

rtjpeg: check get_block return value for error.

This avoids crashes due to reading out-of-bounds.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
Reimar Döffinger 2011-11-05 22:26:42 +01:00 committed by Anton Khirnov
parent f6afacdb3b
commit 7a62ddb689

View File

@ -114,24 +114,25 @@ int rtjpeg_decode_frame_yuv420(RTJpegContext *c, AVFrame *f,
init_get_bits(&gb, buf, buf_size * 8);
for (y = 0; y < h; y++) {
for (x = 0; x < w; x++) {
#define BLOCK(quant, dst, stride) do { \
int res = get_block(&gb, block, c->scan, quant); \
if (res < 0) \
return res; \
if (res > 0) \
c->dsp->idct_put(dst, stride, block); \
} while (0)
DCTELEM *block = c->block;
if (get_block(&gb, block, c->scan, c->lquant) > 0)
c->dsp->idct_put(y1, f->linesize[0], block);
BLOCK(c->lquant, y1, f->linesize[0]);
y1 += 8;
if (get_block(&gb, block, c->scan, c->lquant) > 0)
c->dsp->idct_put(y1, f->linesize[0], block);
BLOCK(c->lquant, y1, f->linesize[0]);
y1 += 8;
if (get_block(&gb, block, c->scan, c->lquant) > 0)
c->dsp->idct_put(y2, f->linesize[0], block);
BLOCK(c->lquant, y2, f->linesize[0]);
y2 += 8;
if (get_block(&gb, block, c->scan, c->lquant) > 0)
c->dsp->idct_put(y2, f->linesize[0], block);
BLOCK(c->lquant, y2, f->linesize[0]);
y2 += 8;
if (get_block(&gb, block, c->scan, c->cquant) > 0)
c->dsp->idct_put(u, f->linesize[1], block);
BLOCK(c->cquant, u, f->linesize[1]);
u += 8;
if (get_block(&gb, block, c->scan, c->cquant) > 0)
c->dsp->idct_put(v, f->linesize[2], block);
BLOCK(c->cquant, v, f->linesize[2]);
v += 8;
}
y1 += 2 * 8 * (f->linesize[0] - w);