From c14656a1e09ce3df41636f6abfac68112c8d8c98 Mon Sep 17 00:00:00 2001 From: Seungha Yang Date: Tue, 3 Aug 2021 19:12:11 +0900 Subject: jpegdec: Fix crash when interlaced field height is not DCT block size aligned In case of interlaced JPEG file, we are doubling stride. The scratch scan line should take account of it as well. Part-of: --- ext/jpeg/gstjpegdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ext/jpeg/gstjpegdec.c b/ext/jpeg/gstjpegdec.c index c4bb732a9..cce74afa8 100644 --- a/ext/jpeg/gstjpegdec.c +++ b/ext/jpeg/gstjpegdec.c @@ -868,7 +868,7 @@ gst_jpeg_dec_decode_direct (GstJpegDec * dec, GstVideoFrame * frame, gint lines, v_samp[3]; guchar *base[3], *last[3]; gint stride[3]; - guint height; + guint height, field_height; line[0] = y; line[1] = u; @@ -881,7 +881,12 @@ gst_jpeg_dec_decode_direct (GstJpegDec * dec, GstVideoFrame * frame, if (G_UNLIKELY (v_samp[0] > 2 || v_samp[1] > 2 || v_samp[2] > 2)) goto format_not_supported; - height = GST_VIDEO_FRAME_HEIGHT (frame); + height = field_height = GST_VIDEO_FRAME_HEIGHT (frame); + + /* XXX: division by 2 here might not be a good idea yes. But we are doing this + * already in gst_jpeg_dec_handle_frame() for interlaced jpeg */ + if (num_fields == 2) + field_height /= 2; for (i = 0; i < 3; i++) { base[i] = GST_VIDEO_FRAME_COMP_DATA (frame, i); @@ -896,7 +901,7 @@ gst_jpeg_dec_decode_direct (GstJpegDec * dec, GstVideoFrame * frame, } } - if (height % (v_samp[0] * DCTSIZE) && (dec->scratch_size < stride[0])) { + if (field_height % (v_samp[0] * DCTSIZE) && (dec->scratch_size < stride[0])) { g_free (dec->scratch); dec->scratch = g_malloc (stride[0]); dec->scratch_size = stride[0]; -- cgit v1.2.1