videolan/ffmpeg
1
Fork 0
mirror of https://git.videolan.org/git/ffmpeg.git synced 2024-07-22 04:04:14 +02:00
Code Releases Activity

gmc: Always use edge emu

Browse Source 
The gmc functions access more pixels than there is allocated memory.
Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-03-28 22:23:27 +01:00
parent 8fc52a5ef9
commit 3969b4b861
1 changed files with 0 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/mpegvideo_motion.c
View File

@ -59,13 +59,11 @@ static void gmc1_motion(MpegEncContext *s,
ptr = ref_picture[0] + (src_y * linesize) + src_x;
if(s->flags&CODEC_FLAG_EMU_EDGE){
if( (unsigned)src_x >= FFMAX(s->h_edge_pos - 17, 0)
|| (unsigned)src_y >= FFMAX(s->v_edge_pos - 17, 0)){
s->vdsp.emulated_edge_mc(s->edge_emu_buffer, ptr, linesize, 17, 17, src_x, src_y, s->h_edge_pos, s->v_edge_pos);
ptr= s->edge_emu_buffer;
}
}
if((motion_x|motion_y)&7){
s->dsp.gmc1(dest_y , ptr , linesize, 16, motion_x&15, motion_y&15, 128 - s->no_rounding);
@ -98,14 +96,12 @@ static void gmc1_motion(MpegEncContext *s,
offset = (src_y * uvlinesize) + src_x;
ptr = ref_picture[1] + offset;
if(s->flags&CODEC_FLAG_EMU_EDGE){
if( (unsigned)src_x >= FFMAX((s->h_edge_pos>>1) - 9, 0)
|| (unsigned)src_y >= FFMAX((s->v_edge_pos>>1) - 9, 0)){
s->vdsp.emulated_edge_mc(s->edge_emu_buffer, ptr, uvlinesize, 9, 9, src_x, src_y, s->h_edge_pos>>1, s->v_edge_pos>>1);
ptr= s->edge_emu_buffer;
emu=1;
}
}
s->dsp.gmc1(dest_cb, ptr, uvlinesize, 8, motion_x&15, motion_y&15, 128 - s->no_rounding);
ptr = ref_picture[2] + offset;