Merge commit '278a923c51187d37445d88a6b21082036ec9568d'

* commit '278a923c51187d37445d88a6b21082036ec9568d': jpeg2000: Validate SIZ parsing Conflicts: libavcodec/jpeg2000dec.c This commit is not exactly merged due to bugs in it Merged-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago · f0358dc1d3
parent 2e85737b0e 278a923c51
commit f0358dc1d3
1 changed files with 25 additions and 8 deletions
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@ -73,7 +73,7 @@ typedef struct Jpeg2000DecoderContext {
    int             precision;
    int             ncomponents;
    int             tile_width, tile_height;
-    int             numXtiles, numYtiles;
+    unsigned        numXtiles, numYtiles;
    int             maxtilelen;
    Jpeg2000CodingStyle codsty[4];
@ -176,14 +176,25 @@ static int get_siz(Jpeg2000DecoderContext *s)
    s->tile_offset_y  = bytestream2_get_be32u(&s->g); // YT0Siz
    ncomponents       = bytestream2_get_be16u(&s->g); // CSiz
-    if (ncomponents <= 0 || ncomponents > 4) {
+    if (ncomponents <= 0) {
-        av_log(s->avctx, AV_LOG_ERROR, "unsupported/invalid ncomponents: %d\n", ncomponents);
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n",
               s->ncomponents);
        return AVERROR_INVALIDDATA;
    }
    if (ncomponents > 4) {
        avpriv_request_sample(s->avctx, "Support for %d components",
                              s->ncomponents);
        return AVERROR_PATCHWELCOME;
    }
    s->ncomponents = ncomponents;
-    if (s->tile_width<=0 || s->tile_height<=0)
+    if (s->tile_width <= 0 || s->tile_height <= 0) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid tile dimension %dx%d.\n",
               s->tile_width, s->tile_height);
        return AVERROR_INVALIDDATA;
    }
    if (bytestream2_get_bytes_left(&s->g) < 3 * s->ncomponents)
        return AVERROR_INVALIDDATA;
@ -196,7 +207,9 @@ static int get_siz(Jpeg2000DecoderContext *s)
        s->cdx[i]    = bytestream2_get_byteu(&s->g);
        s->cdy[i]    = bytestream2_get_byteu(&s->g);
        if (s->cdx[i] != 1 || s->cdy[i] != 1) {
-            av_log(s->avctx, AV_LOG_ERROR, "unsupported/ CDxy values %d %d for component %d\n", s->cdx[i], s->cdy[i], i);
+            avpriv_request_sample(s->avctx,
                                  "CDxy values %d %d for component %d",
                                  s->cdx[i], s->cdy[i], i);
            if (!s->cdx[i] || !s->cdy[i])
                return AVERROR_INVALIDDATA;
        }
@ -205,12 +218,16 @@ static int get_siz(Jpeg2000DecoderContext *s)
    s->numXtiles = ff_jpeg2000_ceildiv(s->width  - s->tile_offset_x, s->tile_width);
    s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height);
-    if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(Jpeg2000Tile))
+    if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) {
        s->numXtiles = s->numYtiles = 0;
        return AVERROR(EINVAL);
    }
-    s->tile = av_mallocz(s->numXtiles * s->numYtiles * sizeof(*s->tile));
+    s->tile = av_mallocz_array(s->numXtiles * s->numYtiles, sizeof(*s->tile));
-    if (!s->tile)
+    if (!s->tile) {
        s->numXtiles = s->numYtiles = 0;
        return AVERROR(ENOMEM);
    }
    for (i = 0; i < s->numXtiles * s->numYtiles; i++) {
        Jpeg2000Tile *tile = s->tile + i;