1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00

avcodec/012v: redesign main loop

Fixes out of array accesses
Fixes: ffmpeg_012v_crash.ts

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Reviewed-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2015-03-10 19:18:34 +01:00
parent 0637b59c2c
commit 48df30d36c

View File

@ -38,7 +38,7 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx)
static int zero12v_decode_frame(AVCodecContext *avctx, void *data, static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
int *got_frame, AVPacket *avpkt) int *got_frame, AVPacket *avpkt)
{ {
int line = 0, ret; int line, ret;
const int width = avctx->width; const int width = avctx->width;
AVFrame *pic = data; AVFrame *pic = data;
uint16_t *y, *u, *v; uint16_t *y, *u, *v;
@ -67,45 +67,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
pic->pict_type = AV_PICTURE_TYPE_I; pic->pict_type = AV_PICTURE_TYPE_I;
pic->key_frame = 1; pic->key_frame = 1;
y = (uint16_t *)pic->data[0];
u = (uint16_t *)pic->data[1];
v = (uint16_t *)pic->data[2];
line_end = avpkt->data + stride; line_end = avpkt->data + stride;
for (line = 0; line < avctx->height; line++) {
uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000};
uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000};
uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000};
int x;
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
while (line++ < avctx->height) { for (x = 0; x < width; x += 6) {
while (1) { uint32_t t;
uint32_t t = AV_RL32(src);
if (width - x < 6 || line_end - src < 16) {
y = y_temp;
u = u_temp;
v = v_temp;
}
if (line_end - src < 4)
break;
t = AV_RL32(src);
src += 4; src += 4;
*u++ = t << 6 & 0xFFC0; *u++ = t << 6 & 0xFFC0;
*y++ = t >> 4 & 0xFFC0; *y++ = t >> 4 & 0xFFC0;
*v++ = t >> 14 & 0xFFC0; *v++ = t >> 14 & 0xFFC0;
if (src >= line_end - 1) { if (line_end - src < 4)
*y = 0x80;
src++;
line_end += stride;
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
break; break;
}
t = AV_RL32(src); t = AV_RL32(src);
src += 4; src += 4;
*y++ = t << 6 & 0xFFC0; *y++ = t << 6 & 0xFFC0;
*u++ = t >> 4 & 0xFFC0; *u++ = t >> 4 & 0xFFC0;
*y++ = t >> 14 & 0xFFC0; *y++ = t >> 14 & 0xFFC0;
if (src >= line_end - 2) {
if (!(width & 1)) { if (line_end - src < 4)
*y = 0x80;
src += 2;
}
line_end += stride;
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
break; break;
}
t = AV_RL32(src); t = AV_RL32(src);
src += 4; src += 4;
@ -113,15 +113,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
*y++ = t >> 4 & 0xFFC0; *y++ = t >> 4 & 0xFFC0;
*u++ = t >> 14 & 0xFFC0; *u++ = t >> 14 & 0xFFC0;
if (src >= line_end - 1) { if (line_end - src < 4)
*y = 0x80;
src++;
line_end += stride;
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
break; break;
}
t = AV_RL32(src); t = AV_RL32(src);
src += 4; src += 4;
@ -129,18 +122,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
*v++ = t >> 4 & 0xFFC0; *v++ = t >> 4 & 0xFFC0;
*y++ = t >> 14 & 0xFFC0; *y++ = t >> 14 & 0xFFC0;
if (src >= line_end - 2) { if (width - x < 6)
if (width & 1) {
*y = 0x80;
src += 2;
}
line_end += stride;
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
break; break;
}
} }
if (x < width) {
y = x + (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
memcpy(y, y_temp, sizeof(*y) * (width - x));
memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2);
memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2);
}
line_end += stride;
src = line_end - stride;
} }
*got_frame = 1; *got_frame = 1;