Commit 31e3fc4d authored by bcoudurier's avatar bcoudurier

check if frame size matches old sys and assumes corrupted input, fixes #1192

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19192 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent 84cb6b44
...@@ -1119,7 +1119,7 @@ static int dvvideo_decode_frame(AVCodecContext *avctx, ...@@ -1119,7 +1119,7 @@ static int dvvideo_decode_frame(AVCodecContext *avctx,
int buf_size = avpkt->size; int buf_size = avpkt->size;
DVVideoContext *s = avctx->priv_data; DVVideoContext *s = avctx->priv_data;
s->sys = dv_frame_profile(buf); s->sys = dv_frame_profile(s->sys, buf, buf_size);
if (!s->sys || buf_size < s->sys->frame_size || dv_init_dynamic_tables(s->sys)) if (!s->sys || buf_size < s->sys->frame_size || dv_init_dynamic_tables(s->sys))
return -1; /* NOTE: we only accept several full frames */ return -1; /* NOTE: we only accept several full frames */
......
...@@ -698,7 +698,9 @@ enum dv_pack_type { ...@@ -698,7 +698,9 @@ enum dv_pack_type {
*/ */
#define DV_MAX_BPM 8 #define DV_MAX_BPM 8
static inline const DVprofile* dv_frame_profile(const uint8_t* frame) static inline
const DVprofile* dv_frame_profile(const DVprofile *sys,
const uint8_t* frame, unsigned buf_size)
{ {
int i; int i;
...@@ -715,6 +717,10 @@ static inline const DVprofile* dv_frame_profile(const uint8_t* frame) ...@@ -715,6 +717,10 @@ static inline const DVprofile* dv_frame_profile(const uint8_t* frame)
if (dsf == dv_profiles[i].dsf && stype == dv_profiles[i].video_stype) if (dsf == dv_profiles[i].dsf && stype == dv_profiles[i].video_stype)
return &dv_profiles[i]; return &dv_profiles[i];
/* check if old sys matches and assumes corrupted input */
if (sys && buf_size == sys->frame_size)
return sys;
return NULL; return NULL;
} }
......
...@@ -322,7 +322,7 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, ...@@ -322,7 +322,7 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt,
uint8_t *ppcm[4] = {0}; uint8_t *ppcm[4] = {0};
if (buf_size < DV_PROFILE_BYTES || if (buf_size < DV_PROFILE_BYTES ||
!(c->sys = dv_frame_profile(buf)) || !(c->sys = dv_frame_profile(c->sys, buf, buf_size)) ||
buf_size < c->sys->frame_size) { buf_size < c->sys->frame_size) {
return -1; /* Broken frame, or not enough data */ return -1; /* Broken frame, or not enough data */
} }
...@@ -421,7 +421,7 @@ static int dv_read_header(AVFormatContext *s, ...@@ -421,7 +421,7 @@ static int dv_read_header(AVFormatContext *s,
url_fseek(s->pb, -DV_PROFILE_BYTES, SEEK_CUR) < 0) url_fseek(s->pb, -DV_PROFILE_BYTES, SEEK_CUR) < 0)
return AVERROR(EIO); return AVERROR(EIO);
c->dv_demux->sys = dv_frame_profile(c->buf); c->dv_demux->sys = dv_frame_profile(c->dv_demux->sys, c->buf, DV_PROFILE_BYTES);
if (!c->dv_demux->sys) { if (!c->dv_demux->sys) {
av_log(s, AV_LOG_ERROR, "Can't determine profile of DV input stream.\n"); av_log(s, AV_LOG_ERROR, "Can't determine profile of DV input stream.\n");
return -1; return -1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment