[FFmpeg-devel] [PATCH]Fix progressive jpgs with weird pix_fmts
Carl Eugen Hoyos
cehoyos at ag.or.at
Thu Jan 12 22:48:18 CET 2012
Hi!
On Saturday 07 January 2012 03:21:36 pm Michael Niedermayer wrote:
> On Sat, Jan 07, 2012 at 12:26:29PM +0100, Carl Eugen Hoyos wrote:
> > On Saturday 07 January 2012 03:27:52 am Michael Niedermayer wrote:
> > > On Sat, Jan 07, 2012 at 03:17:36AM +0100, Carl Eugen Hoyos wrote:
> > > > On Saturday 07 January 2012 02:59:06 am Michael Niedermayer wrote:
> > > > > > Attached fixes the samples from ticket #892 for me.
> > > > > >
> > > > > > Please comment, Carl Eugen
> > > > >
> > > > > reset upscale* otherwise this is possibly exploitable if the width
> > > > > or height or "pix_fmt" changes
> > > >
> > > > As in attached?
> > >
> > > not enough
> > >
> > > 1st frame sets upscale_h
> > > 2nd frame changes width/height and branches via -1 from
> > > ff_mjpeg_find_marker to the_end
> >
> > Iiuc, width/height can only be set in ff_mjpeg_decode_sof(), so new patch
> > resets the value at the beginning of this function.
> >
> > > also wherever the variables are reset i suggest that a av_assert0 is
> > > added to make sure the pixel format matches the expectation that is
> > > theres enough space for chroma
> >
> > I don't understand:
> > If the variables are reset (to 0), the code that may overwrite chroma /
> > corrupt memory is not called, the variables are set together with the
> > pix_fmt.
> >
> > Only s->ls change the pix_fmt later, upscale now also gets reset in this
> > case.
>
> my concern is if the code is changed in the future. A new code path
> could be added that changes width/height and forgets reseting these
> variables
Thank you for the explanation.
New patch attached.
Please comment, Carl Eugen
-------------- next part --------------
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 458d132..64e5839 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -219,6 +219,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
int len, nb_components, i, width, height, pix_fmt_id;
s->cur_scan = 0;
+ s->upscale_h = s->upscale_v = 0;
/* XXX: verify len field validity */
len = get_bits(&s->gb, 16);
@@ -401,6 +402,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
return -1;
}
if (s->ls) {
+ s->upscale_h = s->upscale_v = 0;
if (s->nb_components > 1)
s->avctx->pix_fmt = PIX_FMT_RGB24;
else if (s->bits <= 8)
@@ -1233,28 +1235,6 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
return -1;
}
}
- if (s->upscale_h) {
- uint8_t *line = s->picture_ptr->data[s->upscale_h];
- for (i = 0; i < s->chroma_height; i++) {
- for (index = s->width - 1; index; index--)
- line[index] = (line[index / 2] + line[(index + 1) / 2]) >> 1;
- line += s->linesize[s->upscale_h];
- }
- }
- if (s->upscale_v) {
- uint8_t *dst = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(s->height - 1) * s->linesize[s->upscale_v]];
- for (i = s->height - 1; i; i--) {
- uint8_t *src1 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[i / 2 * s->linesize[s->upscale_v]];
- uint8_t *src2 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(i + 1) / 2 * s->linesize[s->upscale_v]];
- if (src1 == src2) {
- memcpy(dst, src1, s->width);
- } else {
- for (index = 0; index < s->width; index++)
- dst[index] = (src1[index] + src2[index]) >> 1;
- }
- dst -= s->linesize[s->upscale_v];
- }
- }
emms_c();
return 0;
out_of_range:
@@ -1576,6 +1556,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
const uint8_t *unescaped_buf_ptr;
int unescaped_buf_size;
int start_code;
+ int i, index;
AVFrame *picture = data;
s->got_picture = 0; // picture from previous image can not be reused
@@ -1735,6 +1716,36 @@ eoi_parser:
av_log(avctx, AV_LOG_FATAL, "No JPEG data found in image\n");
return -1;
the_end:
+ if (s->upscale_h) {
+ uint8_t *line = s->picture_ptr->data[s->upscale_h];
+ av_assert0(avctx->pix_fmt == PIX_FMT_YUVJ444P ||
+ avctx->pix_fmt == PIX_FMT_YUV444P ||
+ avctx->pix_fmt == PIX_FMT_YUVJ440P ||
+ avctx->pix_fmt == PIX_FMT_YUV440P);
+ for (i = 0; i < s->chroma_height; i++) {
+ for (index = s->width - 1; index; index--)
+ line[index] = (line[index / 2] + line[(index + 1) / 2]) >> 1;
+ line += s->linesize[s->upscale_h];
+ }
+ }
+ if (s->upscale_v) {
+ uint8_t *dst = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(s->height - 1) * s->linesize[s->upscale_v]];
+ av_assert0(avctx->pix_fmt == PIX_FMT_YUVJ444P ||
+ avctx->pix_fmt == PIX_FMT_YUV444P ||
+ avctx->pix_fmt == PIX_FMT_YUVJ422P ||
+ avctx->pix_fmt == PIX_FMT_YUV422P);
+ for (i = s->height - 1; i; i--) {
+ uint8_t *src1 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[i / 2 * s->linesize[s->upscale_v]];
+ uint8_t *src2 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(i + 1) / 2 * s->linesize[s->upscale_v]];
+ if (src1 == src2) {
+ memcpy(dst, src1, s->width);
+ } else {
+ for (index = 0; index < s->width; index++)
+ dst[index] = (src1[index] + src2[index]) >> 1;
+ }
+ dst -= s->linesize[s->upscale_v];
+ }
+ }
av_log(avctx, AV_LOG_DEBUG, "mjpeg decode frame unused %td bytes\n",
buf_end - buf_ptr);
// return buf_end - buf_ptr;
More information about the ffmpeg-devel
mailing list