[vlc-commits] codec: jpeg: set row_pointers on context

Francois Cartegnie git at videolan.org
Mon Dec 24 12:06:38 CET 2018 

vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Dec 24 12:05:13 2018 +0100| [876450978c00d5fff966f1aef691e0bc185b154c] | committer: Francois Cartegnie

codec: jpeg: set row_pointers on context

fixes potential invalid deref on jpeg error/longjmp

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=876450978c00d5fff966f1aef691e0bc185b154c
---

 modules/codec/jpeg.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/modules/codec/jpeg.c b/modules/codec/jpeg.c
index 5f50f80819..788a6d78c6 100644
--- a/modules/codec/jpeg.c
+++ b/modules/codec/jpeg.c
@@ -70,6 +70,7 @@ typedef struct
 {
     JPEG_SYS_COMMON_MEMBERS
 
+    JSAMPARRAY p_row_pointers;
     struct jpeg_decompress_struct p_jpeg;
 } decoder_sys_t;
 
@@ -500,7 +501,7 @@ static int DecodeBlock(decoder_t *p_dec, block_t *p_block)
     decoder_sys_t *p_sys = p_dec->p_sys;
     picture_t *p_pic = 0;
 
-    JSAMPARRAY p_row_pointers = NULL;
+    p_sys->p_row_pointers = NULL;
 
     if (!p_block) /* No Drain */
         return VLCDEC_SUCCESS;
@@ -553,25 +554,25 @@ static int DecodeBlock(decoder_t *p_dec, block_t *p_block)
     }
 
     /* Decode picture */
-    p_row_pointers = vlc_alloc(p_sys->p_jpeg.output_height, sizeof(JSAMPROW));
-    if (!p_row_pointers)
+    p_sys->p_row_pointers = vlc_alloc(p_sys->p_jpeg.output_height, sizeof(JSAMPROW));
+    if (!p_sys->p_row_pointers)
     {
         goto error;
     }
     for (unsigned i = 0; i < p_sys->p_jpeg.output_height; i++) {
-        p_row_pointers[i] = p_pic->p->p_pixels + p_pic->p->i_pitch * i;
+        p_sys->p_row_pointers[i] = p_pic->p->p_pixels + p_pic->p->i_pitch * i;
     }
 
     while (p_sys->p_jpeg.output_scanline < p_sys->p_jpeg.output_height)
     {
         jpeg_read_scanlines(&p_sys->p_jpeg,
-                p_row_pointers + p_sys->p_jpeg.output_scanline,
+                p_sys->p_row_pointers + p_sys->p_jpeg.output_scanline,
                 p_sys->p_jpeg.output_height - p_sys->p_jpeg.output_scanline);
     }
 
     jpeg_finish_decompress(&p_sys->p_jpeg);
     jpeg_destroy_decompress(&p_sys->p_jpeg);
-    free(p_row_pointers);
+    free(p_sys->p_row_pointers);
 
     p_pic->date = p_block->i_pts != VLC_TICK_INVALID ? p_block->i_pts : p_block->i_dts;
 
@@ -582,7 +583,7 @@ static int DecodeBlock(decoder_t *p_dec, block_t *p_block)
 error:
 
     jpeg_destroy_decompress(&p_sys->p_jpeg);
-    free(p_row_pointers);
+    free(p_sys->p_row_pointers);
 
     block_Release(p_block);
     return VLCDEC_SUCCESS;

More information about the vlc-commits mailing list