From 3969b4b861ce8152e3195e8f8c3437abd273b90a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Mar 2013 22:23:27 +0100 Subject: [PATCH] gmc: Always use edge emu The gmc functions access more pixels than there is allocated memory. Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_motion.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index beb4d6cda3..1439eb2245 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -59,13 +59,11 @@ static void gmc1_motion(MpegEncContext *s, ptr = ref_picture[0] + (src_y * linesize) + src_x; - if(s->flags&CODEC_FLAG_EMU_EDGE){ if( (unsigned)src_x >= FFMAX(s->h_edge_pos - 17, 0) || (unsigned)src_y >= FFMAX(s->v_edge_pos - 17, 0)){ s->vdsp.emulated_edge_mc(s->edge_emu_buffer, ptr, linesize, 17, 17, src_x, src_y, s->h_edge_pos, s->v_edge_pos); ptr= s->edge_emu_buffer; } - } if((motion_x|motion_y)&7){ s->dsp.gmc1(dest_y , ptr , linesize, 16, motion_x&15, motion_y&15, 128 - s->no_rounding); @@ -98,14 +96,12 @@ static void gmc1_motion(MpegEncContext *s, offset = (src_y * uvlinesize) + src_x; ptr = ref_picture[1] + offset; - if(s->flags&CODEC_FLAG_EMU_EDGE){ if( (unsigned)src_x >= FFMAX((s->h_edge_pos>>1) - 9, 0) || (unsigned)src_y >= FFMAX((s->v_edge_pos>>1) - 9, 0)){ s->vdsp.emulated_edge_mc(s->edge_emu_buffer, ptr, uvlinesize, 9, 9, src_x, src_y, s->h_edge_pos>>1, s->v_edge_pos>>1); ptr= s->edge_emu_buffer; emu=1; } - } s->dsp.gmc1(dest_cb, ptr, uvlinesize, 8, motion_x&15, motion_y&15, 128 - s->no_rounding); ptr = ref_picture[2] + offset;