Skip to content
Permalink
Browse files Browse the repository at this point in the history
avcodec/mpeg4videodec: Remove use of FF_PROFILE_MPEG4_SIMPLE_STUDIO a…
…s indicator of studio profile

The profile field is changed by code inside and outside the decoder,
its not a reliable indicator of the internal codec state.
Maintaining it consistency with studio_profile is messy.
Its easier to just avoid it and use only studio_profile

Fixes: assertion failure
Fixes: ffmpeg_crash_9.avi

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
michaelni committed Jul 4, 2018
1 parent 3b10bb8 commit bd27a93
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 5 deletions.
3 changes: 1 addition & 2 deletions libavcodec/error_resilience.c
Expand Up @@ -814,8 +814,7 @@ static int er_supported(ERContext *s)
{
if(s->avctx->hwaccel && s->avctx->hwaccel->decode_slice ||
!s->cur_pic.f ||
s->cur_pic.field_picture ||
s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO
s->cur_pic.field_picture
)
return 0;
return 1;
Expand Down
6 changes: 4 additions & 2 deletions libavcodec/h263dec.c
Expand Up @@ -47,9 +47,10 @@

static enum AVPixelFormat h263_get_format(AVCodecContext *avctx)
{
MpegEncContext *s = avctx->priv_data;
/* MPEG-4 Studio Profile only, not supported by hardware */
if (avctx->bits_per_raw_sample > 8) {
av_assert1(avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO);
av_assert1(s->studio_profile);
return avctx->pix_fmt;
}

Expand Down Expand Up @@ -670,7 +671,8 @@ int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,

av_assert1(s->bitstream_buffer_size == 0);
frame_end:
ff_er_frame_end(&s->er);
if (!s->studio_profile)
ff_er_frame_end(&s->er);

if (avctx->hwaccel) {
ret = avctx->hwaccel->end_frame(avctx);
Expand Down
1 change: 0 additions & 1 deletion libavcodec/mpeg4videodec.c
Expand Up @@ -3244,7 +3244,6 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)
s->avctx->has_b_frames = !s->low_delay;

if (s->studio_profile) {
av_assert0(s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO);
if (!s->avctx->bits_per_raw_sample) {
av_log(s->avctx, AV_LOG_ERROR, "Missing VOL header\n");
return AVERROR_INVALIDDATA;
Expand Down

1 comment on commit bd27a93

@thuanpv
Copy link

@thuanpv thuanpv commented on bd27a93 Jul 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2018-13304

Please sign in to comment.