[mpeg2-dev] [PATCH] Fix crash with malformed stream (resend)

Sat, 16 Feb 2008 13:15:54 -0800 

Here is a patch to fix a crash with http://sam.zoy.org/zzuf/lol-mplayer.m2v
I extracted this patch from the MPlayer SVN repository (revision 21941).
Please apply.


Lionel Debroux.

>From 16ef51dc59e22b5f61703c22930246c317a9e85e Mon Sep 17 00:00:00 2001
From: Lionel Debroux <[EMAIL PROTECTED]>
Date: Sat, 16 Feb 2008 16:33:57 +0100
Subject: Fix crash with http://sam.zoy.org/zzuf/lol-mplayer.m2v (modified from MPlayer SVN repo, revision 21941).

---
 trunk/libmpeg2/slice.c |   20 +++++++++++++++++++-
 1 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/trunk/libmpeg2/slice.c b/trunk/libmpeg2/slice.c
index 8f1035b..0dcdf42 100644
--- a/trunk/libmpeg2/slice.c
+++ b/trunk/libmpeg2/slice.c
@@ -1587,6 +1587,16 @@ do {									\
     }									\
 } while (0)
 
+/**
+ * Dummy motion decoding function, to avoid calling NULL in
+ * case of malformed streams.
+ */
+static void motion_dummy (mpeg2_decoder_t * const decoder,
+                          motion_t * const motion,
+                          mpeg2_mc_fct * const * const table)
+{
+}
+
 void mpeg2_init_fbuf (mpeg2_decoder_t * decoder, uint8_t * current_fbuf[3],
 		      uint8_t * forward_fbuf[3], uint8_t * backward_fbuf[3])
 {
@@ -1644,7 +1654,9 @@ void mpeg2_init_fbuf (mpeg2_decoder_t * decoder, uint8_t * current_fbuf[3],
 
     if (decoder->mpeg1) {
 	decoder->motion_parser[0] = motion_zero_420;
-	decoder->motion_parser[MC_FRAME] = motion_mp1;
+        decoder->motion_parser[MC_FIELD] = motion_dummy;
+ 	decoder->motion_parser[MC_FRAME] = motion_mp1;
+        decoder->motion_parser[MC_DMV] = motion_dummy;
 	decoder->motion_parser[4] = motion_reuse_420;
     } else if (decoder->picture_structure == FRAME_PICTURE) {
 	if (decoder->chroma_format == 0) {
@@ -1869,6 +1881,12 @@ void mpeg2_slice (mpeg2_decoder_t * const decoder, const int code,
 
 	    motion_parser_t * parser;
 
+	    if (   ((macroblock_modes >> MOTION_TYPE_SHIFT) < 0)
+                || ((macroblock_modes >> MOTION_TYPE_SHIFT) >= (int)(sizeof(decoder->motion_parser)/sizeof(decoder->motion_parser[0])))
+	       ) {
+		break; // Illegal !
+	    }
+
 	    parser =
 		decoder->motion_parser[macroblock_modes >> MOTION_TYPE_SHIFT];
 	    MOTION_CALL (parser, macroblock_modes);
-- 
1.5.3.7


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Libmpeg2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libmpeg2-devel

Reply via email to