generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

avcodec/mpegvideo: fix ac/dc_val and coded_block table sizes

Browse Source 
With interlaced vc1 it was possible that accesses could happen outside these
tables before this.

Regression since 017e234c20
Reproduced with a sample from Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Fixes (again) : 480i30__codec_WVC1__mode_2__framerate_29.970__type_2__preproc_17.SIGFPE.bfa.390.wmv
No releases are affected by this

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2014-01-03 20:20:12 +01:00
parent 9c5260e73a
commit 950fb8acb4
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/mpegvideo.c
View File

@@ -552,6 +552,9 @@ static int init_duplicate_context(MpegEncContext *s)
int yc_size = y_size + 2 * c_size;
int i;
if (s->mb_height & 1)
yc_size += 2*s->b8_stride + 2*s->mb_stride;
s->edge_emu_buffer =
s->me.scratchpad =
s->me.temp =
@@ -899,6 +902,9 @@ static int init_context_frame(MpegEncContext *s)
c_size = s->mb_stride * (s->mb_height + 1);
yc_size = y_size + 2 * c_size;
if (s->mb_height & 1)
yc_size += 2*s->b8_stride + 2*s->mb_stride;
FF_ALLOCZ_OR_GOTO(s->avctx, s->mb_index2xy, (s->mb_num + 1) * sizeof(int), fail); // error ressilience code looks cleaner with this
for (y = 0; y < s->mb_height; y++)
for (x = 0; x < s->mb_width; x++)
@@ -956,7 +962,7 @@ static int init_context_frame(MpegEncContext *s)
}
if (s->out_format == FMT_H263) {
/* cbp values */
FF_ALLOCZ_OR_GOTO(s->avctx, s->coded_block_base, y_size, fail);
FF_ALLOCZ_OR_GOTO(s->avctx, s->coded_block_base, y_size + (s->mb_height&1)*2*s->b8_stride, fail);
s->coded_block = s->coded_block_base + s->b8_stride + 1;
/* cbp, ac_pred, pred_dir */