mpeg12dec: move setting first_field to mpeg_field_start()

Message ID 20161219071956.08B505DA92@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau Dec. 19, 2016, 7:19 a.m.
Module: libav
Branch: master
Commit: c2fa6bb0e8703a7a6aa10e11f9ab36094416d83f

Author:    Anton Khirnov <anton@khirnov.net>
Committer: Anton Khirnov <anton@khirnov.net>
Date:      Sat Dec 17 17:04:55 2016 +0100

mpeg12dec: move setting first_field to mpeg_field_start()

For field picture, the first_field is set based on its previous value.
Before this commit, first_field is set when reading the picture
coding extension. However, in corrupted files there may be multiple
picture coding extension headers, so the final value of first_field that
is actually used during decoding can be wrong. That can lead to various
undefined behaviour, like predicting from a non-existing field.

Fix this problem, by setting first_field in mpeg_field_start(), which
should be called exactly once per field.

CC: libav-stable@libav.org
Bug-ID: 999

---

 libavcodec/mpeg12dec.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Patch

diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
index 310169b..afdd652 100644
--- a/libavcodec/mpeg12dec.c
+++ b/libavcodec/mpeg12dec.c
@@ -1536,10 +1536,8 @@  static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1)
         av_log(s->avctx, AV_LOG_WARNING, "invalid frame_pred_frame_dct\n");
 
     if (s->picture_structure == PICT_FRAME) {
-        s->first_field = 0;
         s->v_edge_pos  = 16 * s->mb_height;
     } else {
-        s->first_field ^= 1;
         s->v_edge_pos   = 8 * s->mb_height;
         memset(s->mbskip_table, 0, s->mb_stride * s->mb_height);
     }
@@ -1570,6 +1568,11 @@  static int mpeg_field_start(MpegEncContext *s, const uint8_t *buf, int buf_size)
     Mpeg1Context *s1      = (Mpeg1Context *) s;
     int ret;
 
+    if (s->picture_structure == PICT_FRAME)
+        s->first_field = 0;
+    else
+        s->first_field ^= 1;
+
     /* start frame decoding */
     if (s->first_field || s->picture_structure == PICT_FRAME) {
         AVFrameSideData *pan_scan;