1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00

avcodec/mjpegdec: Reorder operations to avoid undefined behavior

Fixes: asan_heap-oob_1dd60fd_267_cov_2954683513_5baad44ca4702949724234e35c5bb341.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2015-07-02 18:53:17 +02:00
parent 9dc0bac971
commit c9220d5b06

View File

@ -719,7 +719,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block,
av_log(s->avctx, AV_LOG_ERROR, "error dc\n");
return AVERROR_INVALIDDATA;
}
val = (val * quant_matrix[0] << Al) + s->last_dc[component];
val = (val * (quant_matrix[0] << Al)) + s->last_dc[component];
s->last_dc[component] = val;
block[0] = val;
return 0;
@ -762,14 +762,14 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block,
if (i >= se) {
if (i == se) {
j = s->scantable.permutated[se];
block[j] = level * quant_matrix[j] << Al;
block[j] = level * (quant_matrix[j] << Al);
break;
}
av_log(s->avctx, AV_LOG_ERROR, "error count: %d\n", i);
return AVERROR_INVALIDDATA;
}
j = s->scantable.permutated[i];
block[j] = level * quant_matrix[j] << Al;
block[j] = level * (quant_matrix[j] << Al);
} else {
if (run == 0xF) {// ZRL - skip 15 coefficients
i += 15;
@ -848,7 +848,7 @@ static int decode_block_refinement(MJpegDecodeContext *s, int16_t *block,
ZERO_RUN;
j = s->scantable.permutated[i];
val--;
block[j] = ((quant_matrix[j]^val) - val) << Al;
block[j] = ((quant_matrix[j] << Al) ^ val) - val;
if (i == se) {
if (i > *last_nnz)
*last_nnz = i;