generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't use ff_cropTbl[] for IDCT.

Browse Source 
Results of IDCT can by far outreach the range of ff_cropTbl[], leading
to overreads and potentially crashes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Ronald S. Bultje
2012-03-05 16:01:19 -08:00
parent 2254b559cb
commit c23acbaed4
9 changed files with 161 additions and 201 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
libavcodec/rv34dsp.c
View File

@@ -55,7 +55,6 @@ static av_always_inline void rv34_row_transform(int temp[16], DCTELEM *block)
*/
static void rv34_idct_add_c(uint8_t *dst, ptrdiff_t stride, DCTELEM *block){
int temp[16];
uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
int i;
rv34_row_transform(temp, block);
@@ -67,10 +66,10 @@ static void rv34_idct_add_c(uint8_t *dst, ptrdiff_t stride, DCTELEM *block){
const int z2 = 7* temp[4*1+i] - 17*temp[4*3+i];
const int z3 = 17* temp[4*1+i] + 7*temp[4*3+i];
dst[0] = cm[ dst[0] + ( (z0 + z3) >> 10 ) ];
dst[1] = cm[ dst[1] + ( (z1 + z2) >> 10 ) ];
dst[2] = cm[ dst[2] + ( (z1 - z2) >> 10 ) ];
dst[3] = cm[ dst[3] + ( (z0 - z3) >> 10 ) ];
dst[0] = av_clip_uint8( dst[0] + ( (z0 + z3) >> 10 ) );
dst[1] = av_clip_uint8( dst[1] + ( (z1 + z2) >> 10 ) );
dst[2] = av_clip_uint8( dst[2] + ( (z1 - z2) >> 10 ) );
dst[3] = av_clip_uint8( dst[3] + ( (z0 - z3) >> 10 ) );
dst += stride;
}
@@ -103,15 +102,13 @@ static void rv34_inv_transform_noround_c(DCTELEM *block){
static void rv34_idct_dc_add_c(uint8_t *dst, ptrdiff_t stride, int dc)
{
const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
int i, j;
cm += (13*13*dc + 0x200) >> 10;
dc = (13*13*dc + 0x200) >> 10;
for (i = 0; i < 4; i++)
{
for (j = 0; j < 4; j++)
dst[j] = cm[ dst[j] ];
dst[j] = av_clip_uint8( dst[j] + dc );
dst += stride;
}