gmc: Always use edge emu
The gmc functions access more pixels than there is allocated memory. Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
8fc52a5ef9
commit
3969b4b861
@ -59,13 +59,11 @@ static void gmc1_motion(MpegEncContext *s,
|
||||
|
||||
ptr = ref_picture[0] + (src_y * linesize) + src_x;
|
||||
|
||||
if(s->flags&CODEC_FLAG_EMU_EDGE){
|
||||
if( (unsigned)src_x >= FFMAX(s->h_edge_pos - 17, 0)
|
||||
|| (unsigned)src_y >= FFMAX(s->v_edge_pos - 17, 0)){
|
||||
s->vdsp.emulated_edge_mc(s->edge_emu_buffer, ptr, linesize, 17, 17, src_x, src_y, s->h_edge_pos, s->v_edge_pos);
|
||||
ptr= s->edge_emu_buffer;
|
||||
}
|
||||
}
|
||||
|
||||
if((motion_x|motion_y)&7){
|
||||
s->dsp.gmc1(dest_y , ptr , linesize, 16, motion_x&15, motion_y&15, 128 - s->no_rounding);
|
||||
@ -98,14 +96,12 @@ static void gmc1_motion(MpegEncContext *s,
|
||||
|
||||
offset = (src_y * uvlinesize) + src_x;
|
||||
ptr = ref_picture[1] + offset;
|
||||
if(s->flags&CODEC_FLAG_EMU_EDGE){
|
||||
if( (unsigned)src_x >= FFMAX((s->h_edge_pos>>1) - 9, 0)
|
||||
|| (unsigned)src_y >= FFMAX((s->v_edge_pos>>1) - 9, 0)){
|
||||
s->vdsp.emulated_edge_mc(s->edge_emu_buffer, ptr, uvlinesize, 9, 9, src_x, src_y, s->h_edge_pos>>1, s->v_edge_pos>>1);
|
||||
ptr= s->edge_emu_buffer;
|
||||
emu=1;
|
||||
}
|
||||
}
|
||||
s->dsp.gmc1(dest_cb, ptr, uvlinesize, 8, motion_x&15, motion_y&15, 128 - s->no_rounding);
|
||||
|
||||
ptr = ref_picture[2] + offset;
|
||||
|
Loading…
Reference in New Issue
Block a user