From cec48383b16f25e2959e38843b89919a6c7e8c14 Mon Sep 17 00:00:00 2001 From: Mark Nauwelaerts Date: Fri, 30 Apr 2010 12:42:42 +0200 Subject: [PATCH] jpegdec: more sanity checks on input Specifically, verify input components / colour space is as code subsequently expects, thereby avoiding crashes or otherwise bogus output. Presently, that means 3 components YCbCr colour space, and somewhat limited sampling factors. Fixes #600553. --- ext/jpeg/gstjpegdec.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ext/jpeg/gstjpegdec.c b/ext/jpeg/gstjpegdec.c index 7daec71c32..a3fa13abd2 100644 --- a/ext/jpeg/gstjpegdec.c +++ b/ext/jpeg/gstjpegdec.c @@ -1034,6 +1034,10 @@ gst_jpeg_dec_chain (GstPad * pad, GstBuffer * buf) if (dec->cinfo.num_components > 3) goto components_not_supported; + /* verify color space expectation to avoid going *boom* or bogus output */ + if (dec->cinfo.jpeg_color_space != JCS_YCbCr) + goto unsupported_colorspace; + #ifndef GST_DISABLE_GST_DEBUG { gint i; @@ -1060,6 +1064,12 @@ gst_jpeg_dec_chain (GstPad * pad, GstBuffer * buf) GST_WARNING_OBJECT (dec, "failed to start decompression cycle"); } + /* YUV sanity checks to get safe and reasonable I420 output */ + g_assert (dec->cinfo.num_components == 3); + if (r_v > 2 || r_v < dec->cinfo.comp_info[0].v_samp_factor || + r_h < dec->cinfo.comp_info[0].h_samp_factor) + goto invalid_yuv; + width = dec->cinfo.output_width; height = dec->cinfo.output_height; @@ -1306,6 +1316,20 @@ components_not_supported: ret = GST_FLOW_ERROR; goto done; } +unsupported_colorspace: + { + GST_ELEMENT_ERROR (dec, STREAM, DECODE, (NULL), + ("Picture has unknown or unsupported colourspace")); + ret = GST_FLOW_ERROR; + goto done; + } +invalid_yuv: + { + GST_ELEMENT_ERROR (dec, STREAM, DECODE, (NULL), + ("Picture is corrupt or unhandled YUV layout")); + ret = GST_FLOW_ERROR; + goto done; + } } static gboolean