mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-13 21:28:01 +02:00
avcodec/012v: redesign main loop
Fixes out of array accesses Fixes: ffmpeg_012v_crash.ts Found-by: Thomas Lindroth <thomas.lindroth@gmail.com> Reviewed-by: Thomas Lindroth <thomas.lindroth@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
0637b59c2c
commit
48df30d36c
@ -38,7 +38,7 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx)
|
|||||||
static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
|
static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
|
||||||
int *got_frame, AVPacket *avpkt)
|
int *got_frame, AVPacket *avpkt)
|
||||||
{
|
{
|
||||||
int line = 0, ret;
|
int line, ret;
|
||||||
const int width = avctx->width;
|
const int width = avctx->width;
|
||||||
AVFrame *pic = data;
|
AVFrame *pic = data;
|
||||||
uint16_t *y, *u, *v;
|
uint16_t *y, *u, *v;
|
||||||
@ -67,45 +67,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
|
|||||||
pic->pict_type = AV_PICTURE_TYPE_I;
|
pic->pict_type = AV_PICTURE_TYPE_I;
|
||||||
pic->key_frame = 1;
|
pic->key_frame = 1;
|
||||||
|
|
||||||
y = (uint16_t *)pic->data[0];
|
|
||||||
u = (uint16_t *)pic->data[1];
|
|
||||||
v = (uint16_t *)pic->data[2];
|
|
||||||
line_end = avpkt->data + stride;
|
line_end = avpkt->data + stride;
|
||||||
|
for (line = 0; line < avctx->height; line++) {
|
||||||
|
uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000};
|
||||||
|
uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000};
|
||||||
|
uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000};
|
||||||
|
int x;
|
||||||
|
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
|
||||||
|
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
|
||||||
|
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
|
||||||
|
|
||||||
while (line++ < avctx->height) {
|
for (x = 0; x < width; x += 6) {
|
||||||
while (1) {
|
uint32_t t;
|
||||||
uint32_t t = AV_RL32(src);
|
|
||||||
|
if (width - x < 6 || line_end - src < 16) {
|
||||||
|
y = y_temp;
|
||||||
|
u = u_temp;
|
||||||
|
v = v_temp;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (line_end - src < 4)
|
||||||
|
break;
|
||||||
|
|
||||||
|
t = AV_RL32(src);
|
||||||
src += 4;
|
src += 4;
|
||||||
*u++ = t << 6 & 0xFFC0;
|
*u++ = t << 6 & 0xFFC0;
|
||||||
*y++ = t >> 4 & 0xFFC0;
|
*y++ = t >> 4 & 0xFFC0;
|
||||||
*v++ = t >> 14 & 0xFFC0;
|
*v++ = t >> 14 & 0xFFC0;
|
||||||
|
|
||||||
if (src >= line_end - 1) {
|
if (line_end - src < 4)
|
||||||
*y = 0x80;
|
|
||||||
src++;
|
|
||||||
line_end += stride;
|
|
||||||
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
|
|
||||||
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
|
|
||||||
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
|
|
||||||
t = AV_RL32(src);
|
t = AV_RL32(src);
|
||||||
src += 4;
|
src += 4;
|
||||||
*y++ = t << 6 & 0xFFC0;
|
*y++ = t << 6 & 0xFFC0;
|
||||||
*u++ = t >> 4 & 0xFFC0;
|
*u++ = t >> 4 & 0xFFC0;
|
||||||
*y++ = t >> 14 & 0xFFC0;
|
*y++ = t >> 14 & 0xFFC0;
|
||||||
if (src >= line_end - 2) {
|
|
||||||
if (!(width & 1)) {
|
if (line_end - src < 4)
|
||||||
*y = 0x80;
|
|
||||||
src += 2;
|
|
||||||
}
|
|
||||||
line_end += stride;
|
|
||||||
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
|
|
||||||
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
|
|
||||||
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
|
|
||||||
t = AV_RL32(src);
|
t = AV_RL32(src);
|
||||||
src += 4;
|
src += 4;
|
||||||
@ -113,15 +113,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
|
|||||||
*y++ = t >> 4 & 0xFFC0;
|
*y++ = t >> 4 & 0xFFC0;
|
||||||
*u++ = t >> 14 & 0xFFC0;
|
*u++ = t >> 14 & 0xFFC0;
|
||||||
|
|
||||||
if (src >= line_end - 1) {
|
if (line_end - src < 4)
|
||||||
*y = 0x80;
|
|
||||||
src++;
|
|
||||||
line_end += stride;
|
|
||||||
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
|
|
||||||
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
|
|
||||||
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
|
|
||||||
t = AV_RL32(src);
|
t = AV_RL32(src);
|
||||||
src += 4;
|
src += 4;
|
||||||
@ -129,18 +122,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
|
|||||||
*v++ = t >> 4 & 0xFFC0;
|
*v++ = t >> 4 & 0xFFC0;
|
||||||
*y++ = t >> 14 & 0xFFC0;
|
*y++ = t >> 14 & 0xFFC0;
|
||||||
|
|
||||||
if (src >= line_end - 2) {
|
if (width - x < 6)
|
||||||
if (width & 1) {
|
|
||||||
*y = 0x80;
|
|
||||||
src += 2;
|
|
||||||
}
|
|
||||||
line_end += stride;
|
|
||||||
y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
|
|
||||||
u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
|
|
||||||
v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (x < width) {
|
||||||
|
y = x + (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
|
||||||
|
u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
|
||||||
|
v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
|
||||||
|
memcpy(y, y_temp, sizeof(*y) * (width - x));
|
||||||
|
memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2);
|
||||||
|
memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2);
|
||||||
|
}
|
||||||
|
|
||||||
|
line_end += stride;
|
||||||
|
src = line_end - stride;
|
||||||
}
|
}
|
||||||
|
|
||||||
*got_frame = 1;
|
*got_frame = 1;
|
||||||
|
Loading…
Reference in New Issue
Block a user