[SCM] libav/experimental: Add a got_picture flag to MJpegDecodeContext which indicates if its picture element is valid. Skip the code handling SOS and EOI if not, since it can not work without a valid AVPicture. This fixes a crash with mjpeg/smclockmjpeg.avi.1.0 from issue 1240 where the decoder returned an invalid AVPicture.

[siretart at users.alioth.debian.org]

The following commit has been merged in the experimental branch:
commit 643fd8a198ddb67225f5edd503f8f151d13635a3
Author: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
Date:   Sat Jul 4 18:20:35 2009 +0000

    Add a got_picture flag to MJpegDecodeContext which indicates if its picture
    element is valid. Skip the code handling SOS and EOI if not, since it can not
    work without a valid AVPicture.
    This fixes a crash with mjpeg/smclockmjpeg.avi.1.0 from issue 1240 where the
    decoder returned an invalid AVPicture.
    
    Originally committed as revision 19342 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 90b87f4..b5f8281 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -338,6 +338,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
     }
     s->picture.pict_type= FF_I_TYPE;
     s->picture.key_frame= 1;
+    s->got_picture = 1;
 
     for(i=0; i<3; i++){
         s->linesize[i]= s->picture.linesize[i] << s->interlaced;
@@ -1249,6 +1250,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx,
     int start_code;
     AVFrame *picture = data;
 
+    s->got_picture = 0; // picture from previous image can not be reused
     buf_ptr = buf;
     buf_end = buf + buf_size;
     while (buf_ptr < buf_end) {
@@ -1410,6 +1412,10 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx,
                     if ((s->buggy_avid && !s->interlaced) || s->restart_interval)
                         break;
 eoi_parser:
+                    if (!s->got_picture) {
+                        av_log(avctx, AV_LOG_WARNING, "Found EOI before any SOF, ignoring\n");
+                        break;
+                    }
                     {
                         if (s->interlaced) {
                             s->bottom_field ^= 1;
@@ -1434,6 +1440,10 @@ eoi_parser:
                     }
                     break;
                 case SOS:
+                    if (!s->got_picture) {
+                        av_log(avctx, AV_LOG_WARNING, "Can not process SOS before SOF, skipping\n");
+                        break;
+                    }
                     ff_mjpeg_decode_sos(s);
                     /* buggy avid puts EOI every 10-20th frame */
                     /* if restart period is over process EOI */
diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h
index 5a77759..9ef8987 100644
--- a/libavcodec/mjpegdec.h
+++ b/libavcodec/mjpegdec.h
@@ -81,6 +81,7 @@ typedef struct MJpegDecodeContext {
     int quant_index[4];   /* quant table index for each component */
     int last_dc[MAX_COMPONENTS]; /* last DEQUANTIZED dc (XXX: am I right to do that ?) */
     AVFrame picture; /* picture structure */
+    int got_picture;                                ///< we found a SOF and picture is valid, too.
     int linesize[MAX_COMPONENTS];                   ///< linesize << interlaced
     int8_t *qscale_table;
     DECLARE_ALIGNED_16(DCTELEM, block[64]);

-- 
Libav/FFmpeg packaging