[FFmpeg-devel] [PATCH 1/5] avcodec/mjpegdec: Always reset got_picture at the beginnig of decoding

[Andreas Rheinhardt <andreas.rheinhardt@outlook.com>]

Said field is set when parsing a SOF; yet a picture is only allocated
if skip_frame is != AVDISCARD_ALL. This leads to a crash in the
following case: If a jpeg is split into two parts, the first containing
everything before the scans including the SOF and the second part
containing the rest, and the first part is sent to the decoder with
skip_frame set to AVDISCARD_ALL, got_picture is set, yet no picture
is allocated. If the next part is sent with skip_frame set to
AVDISCARD_NONE, the code presumes that a picture has been allocated,
although it hasn't leading to segfaults.

Fix this by resetting got_picture at the beginning of decoding.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
This patch presumes that there is not use-case for partitioning
the data corresponding to a single AVFrame accross multiple packets.
I am not certain whether this is actually true, in particular
wrt interlaced input where it might be common to put the data for
one field into one packet.
Anyway, no such use is covered by FATE.

 libavcodec/mjpegdec.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 32874a5a19..0e76bf4c26 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -2419,6 +2419,7 @@ int ff_mjpeg_receive_frame(AVCodecContext *avctx, AVFrame *frame)
     av_dict_free(&s->exif_metadata);
     av_freep(&s->stereo3d);
     s->adobe_transform = -1;
+    s->got_picture = 0;
 
     if (s->iccnum != 0)
         reset_icc_profile(s);
@@ -2578,7 +2579,6 @@ eoi_parser:
                     break;
             }
             if (avctx->skip_frame == AVDISCARD_ALL) {
-                s->got_picture = 0;
                 ret = AVERROR(EAGAIN);
                 goto the_end_no_picture;
             }
@@ -2651,7 +2651,6 @@ skip:
     av_log(avctx, AV_LOG_FATAL, "No JPEG data found in image\n");
     return AVERROR_INVALIDDATA;
 fail:
-    s->got_picture = 0;
     return ret;
 the_end:
 
@@ -2987,10 +2986,9 @@ av_cold int ff_mjpeg_decode_end(AVCodecContext *avctx)
     return 0;
 }
 
-static void decode_flush(AVCodecContext *avctx)
+static void smv_decode_flush(AVCodecContext *avctx)
 {
     MJpegDecodeContext *s = avctx->priv_data;
-    s->got_picture = 0;
 
     s->smv_next_frame = 0;
     av_frame_unref(s->smv_frame);
@@ -3021,7 +3019,6 @@ const FFCodec ff_mjpeg_decoder = {
     .init           = ff_mjpeg_decode_init,
     .close          = ff_mjpeg_decode_end,
     FF_CODEC_RECEIVE_FRAME_CB(ff_mjpeg_receive_frame),
-    .flush          = decode_flush,
     .p.capabilities = AV_CODEC_CAP_DR1,
     .p.max_lowres   = 3,
     .p.priv_class   = &mjpegdec_class,
@@ -3049,7 +3046,6 @@ const FFCodec ff_thp_decoder = {
     .init           = ff_mjpeg_decode_init,
     .close          = ff_mjpeg_decode_end,
     FF_CODEC_RECEIVE_FRAME_CB(ff_mjpeg_receive_frame),
-    .flush          = decode_flush,
     .p.capabilities = AV_CODEC_CAP_DR1,
     .p.max_lowres   = 3,
     .caps_internal  = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP |
@@ -3067,7 +3063,7 @@ const FFCodec ff_smvjpeg_decoder = {
     .init           = ff_mjpeg_decode_init,
     .close          = ff_mjpeg_decode_end,
     FF_CODEC_RECEIVE_FRAME_CB(ff_mjpeg_receive_frame),
-    .flush          = decode_flush,
+    .flush          = smv_decode_flush,
     .p.capabilities = AV_CODEC_CAP_DR1,
     .caps_internal  = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_EXPORTS_CROPPING |
                       FF_CODEC_CAP_SETS_PKT_DTS | FF_CODEC_CAP_INIT_CLEANUP,
-- 
2.32.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".