Annotation of /trunk/xine-lib/patches/xine-lib-1.1.1-CVE-2005-4048.patch
Parent Directory | Revision Log
Revision 153 -
(hide annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 3406 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 3406 byte(s)
-import
1 | niro | 153 | Index: xine-lib-1.1.1/src/libffmpeg/libavcodec/utils.c |
2 | =================================================================== | ||
3 | --- xine-lib-1.1.1.orig/src/libffmpeg/libavcodec/utils.c | ||
4 | +++ xine-lib-1.1.1/src/libffmpeg/libavcodec/utils.c | ||
5 | @@ -292,27 +292,10 @@ int avcodec_default_get_buffer(AVCodecCo | ||
6 | buf->last_pic_num= *picture_number; | ||
7 | }else{ | ||
8 | int h_chroma_shift, v_chroma_shift; | ||
9 | - int pixel_size; | ||
10 | - | ||
11 | + int pixel_size, size[3]; | ||
12 | + AVPicture picture; | ||
13 | + | ||
14 | avcodec_get_chroma_sub_sample(s->pix_fmt, &h_chroma_shift, &v_chroma_shift); | ||
15 | - | ||
16 | - switch(s->pix_fmt){ | ||
17 | - case PIX_FMT_RGB555: | ||
18 | - case PIX_FMT_RGB565: | ||
19 | - case PIX_FMT_YUV422: | ||
20 | - case PIX_FMT_UYVY422: | ||
21 | - pixel_size=2; | ||
22 | - break; | ||
23 | - case PIX_FMT_RGB24: | ||
24 | - case PIX_FMT_BGR24: | ||
25 | - pixel_size=3; | ||
26 | - break; | ||
27 | - case PIX_FMT_RGBA32: | ||
28 | - pixel_size=4; | ||
29 | - break; | ||
30 | - default: | ||
31 | - pixel_size=1; | ||
32 | - } | ||
33 | |||
34 | avcodec_align_dimensions(s, &w, &h); | ||
35 | |||
36 | @@ -320,21 +303,39 @@ int avcodec_default_get_buffer(AVCodecCo | ||
37 | w+= EDGE_WIDTH*2; | ||
38 | h+= EDGE_WIDTH*2; | ||
39 | } | ||
40 | - | ||
41 | + avpicture_fill(&picture, NULL, s->pix_fmt, w, h); | ||
42 | + pixel_size= picture.linesize[0]*8 / w; | ||
43 | +//av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", (int)picture.data[1], w, h, s->pix_fmt); | ||
44 | + assert(pixel_size>=1); | ||
45 | + //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it | ||
46 | + if(pixel_size == 3*8) | ||
47 | + w= ALIGN(w, STRIDE_ALIGN<<h_chroma_shift); | ||
48 | + else | ||
49 | + w= ALIGN(pixel_size*w, STRIDE_ALIGN<<(h_chroma_shift+3)) / pixel_size; | ||
50 | + size[1] = avpicture_fill(&picture, NULL, s->pix_fmt, w, h); | ||
51 | + size[0] = picture.linesize[0] * h; | ||
52 | + size[1] -= size[0]; | ||
53 | + if(picture.data[2]) | ||
54 | + size[1]= size[2]= size[1]/2; | ||
55 | + else | ||
56 | + size[2]= 0; | ||
57 | + | ||
58 | buf->last_pic_num= -256*256*256*64; | ||
59 | + memset(buf->base, 0, sizeof(buf->base)); | ||
60 | + memset(buf->data, 0, sizeof(buf->data)); | ||
61 | |||
62 | - for(i=0; i<3; i++){ | ||
63 | + for(i=0; i<3 && size[i]; i++){ | ||
64 | const int h_shift= i==0 ? 0 : h_chroma_shift; | ||
65 | const int v_shift= i==0 ? 0 : v_chroma_shift; | ||
66 | |||
67 | - //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it | ||
68 | - buf->linesize[i]= ALIGN(pixel_size*w>>h_shift, STRIDE_ALIGN<<(h_chroma_shift-h_shift)); | ||
69 | + buf->linesize[i]= picture.linesize[i]; | ||
70 | |||
71 | - buf->base[i]= av_malloc((buf->linesize[i]*h>>v_shift)+16); //FIXME 16 | ||
72 | + buf->base[i]= av_malloc(size[i]+16); //FIXME 16 | ||
73 | if(buf->base[i]==NULL) return -1; | ||
74 | - memset(buf->base[i], 128, buf->linesize[i]*h>>v_shift); | ||
75 | - | ||
76 | - if(s->flags&CODEC_FLAG_EMU_EDGE) | ||
77 | + memset(buf->base[i], 128, size[i]); | ||
78 | + | ||
79 | + // no edge if EDEG EMU or not planar YUV, we check for PAL8 redundantly to protect against a exploitable bug regression ... | ||
80 | + if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2]) | ||
81 | buf->data[i] = buf->base[i]; | ||
82 | else | ||
83 | buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN); |