virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

svq1dec: clip motion vectors to the frame size.

Browse Source 
Fixes invalid reads for corrupted files.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
This commit is contained in:
Anton Khirnov 2013-04-08 22:15:54 +02:00
parent b1bb8fb860
commit ecff5acb5a
1 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
libavcodec/svq1dec.c
View File

@ -322,7 +322,8 @@ static void svq1_skip_block(uint8_t *current, uint8_t *previous,
static int svq1_motion_inter_block(DSPContext *dsp, GetBitContext *bitbuf, static int svq1_motion_inter_block(DSPContext *dsp, GetBitContext *bitbuf,
uint8_t *current, uint8_t *previous, uint8_t *current, uint8_t *previous,
int pitch, svq1_pmv *motion, int x, int y) int pitch, svq1_pmv *motion, int x, int y,
int width, int height)
{ {
uint8_t *src; uint8_t *src;
uint8_t *dst; uint8_t *dst;
@ -352,10 +353,8 @@ static int svq1_motion_inter_block(DSPContext *dsp, GetBitContext *bitbuf,
motion[x / 8 + 2].y = motion[x / 8 + 2].y =
motion[x / 8 + 3].y = mv.y; motion[x / 8 + 3].y = mv.y;
if (y + (mv.y >> 1) < 0) mv.x = av_clip(mv.x, -2 * x, 2 * (width - x - 16));
mv.y = 0; mv.y = av_clip(mv.y, -2 * y, 2 * (height - y - 16));
if (x + (mv.x >> 1) < 0)
mv.x = 0;
src = &previous[(x + (mv.x >> 1)) + (y + (mv.y >> 1)) * pitch]; src = &previous[(x + (mv.x >> 1)) + (y + (mv.y >> 1)) * pitch];
dst = current; dst = current;
@ -367,7 +366,8 @@ static int svq1_motion_inter_block(DSPContext *dsp, GetBitContext *bitbuf,
static int svq1_motion_inter_4v_block(DSPContext *dsp, GetBitContext *bitbuf, static int svq1_motion_inter_4v_block(DSPContext *dsp, GetBitContext *bitbuf,
uint8_t *current, uint8_t *previous, uint8_t *current, uint8_t *previous,
int pitch, svq1_pmv *motion, int x, int y) int pitch, svq1_pmv *motion, int x, int y,
int width, int height)
{ {
uint8_t *src; uint8_t *src;
uint8_t *dst; uint8_t *dst;
@ -427,10 +427,8 @@ static int svq1_motion_inter_4v_block(DSPContext *dsp, GetBitContext *bitbuf,
int mvy = pmv[i]->y + (i >> 1) * 16; int mvy = pmv[i]->y + (i >> 1) * 16;
// FIXME: clipping or padding? // FIXME: clipping or padding?
if (y + (mvy >> 1) < 0) mvx = av_clip(mvx, -2 * x, 2 * (width - x - 8));
mvy = 0; mvy = av_clip(mvy, -2 * y, 2 * (height - y - 8));
if (x + (mvx >> 1) < 0)
mvx = 0;
src = &previous[(x + (mvx >> 1)) + (y + (mvy >> 1)) * pitch]; src = &previous[(x + (mvx >> 1)) + (y + (mvy >> 1)) * pitch];
dst = current; dst = current;
@ -450,7 +448,8 @@ static int svq1_motion_inter_4v_block(DSPContext *dsp, GetBitContext *bitbuf,
static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp, static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp,
GetBitContext *bitbuf, GetBitContext *bitbuf,
uint8_t *current, uint8_t *previous, uint8_t *current, uint8_t *previous,
int pitch, svq1_pmv *motion, int x, int y) int pitch, svq1_pmv *motion, int x, int y,
int width, int height)
{ {
uint32_t block_type; uint32_t block_type;
int result = 0; int result = 0;
@ -475,7 +474,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp,
case SVQ1_BLOCK_INTER: case SVQ1_BLOCK_INTER:
result = svq1_motion_inter_block(dsp, bitbuf, current, previous, result = svq1_motion_inter_block(dsp, bitbuf, current, previous,
pitch, motion, x, y); pitch, motion, x, y, width, height);
if (result != 0) { if (result != 0) {
av_dlog(avctx, "Error in svq1_motion_inter_block %i\n", result); av_dlog(avctx, "Error in svq1_motion_inter_block %i\n", result);
@ -486,7 +485,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp,
case SVQ1_BLOCK_INTER_4V: case SVQ1_BLOCK_INTER_4V:
result = svq1_motion_inter_4v_block(dsp, bitbuf, current, previous, result = svq1_motion_inter_4v_block(dsp, bitbuf, current, previous,
pitch, motion, x, y); pitch, motion, x, y, width, height);
if (result != 0) { if (result != 0) {
av_dlog(avctx, "Error in svq1_motion_inter_4v_block %i\n", result); av_dlog(avctx, "Error in svq1_motion_inter_4v_block %i\n", result);
@ -703,7 +702,7 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,
result = svq1_decode_delta_block(avctx, &s->dsp, result = svq1_decode_delta_block(avctx, &s->dsp,
&s->gb, &current[x], &s->gb, &current[x],
previous, linesize, previous, linesize,
pmv, x, y); pmv, x, y, width, height);
if (result != 0) { if (result != 0) {
av_dlog(avctx, av_dlog(avctx,
"Error in svq1_decode_delta_block %i\n", "Error in svq1_decode_delta_block %i\n",