Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/xine-lib/patches/xine-lib-1.1.1-CVE-2005-4048.patch

    Annotation of /trunk/xine-lib/patches/xine-lib-1.1.1-CVE-2005-4048.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 153 - (hide annotations) (download)
    Tue May 8 20:52:56 2007 UTC (17 years, 1 month ago) by niro
    File size: 3406 byte(s) 
    -import
    1 niro 153 Index: xine-lib-1.1.1/src/libffmpeg/libavcodec/utils.c
    2     ===================================================================
    3     --- xine-lib-1.1.1.orig/src/libffmpeg/libavcodec/utils.c
    4     +++ xine-lib-1.1.1/src/libffmpeg/libavcodec/utils.c
    5     @@ -292,27 +292,10 @@ int avcodec_default_get_buffer(AVCodecCo
    6     buf->last_pic_num= *picture_number;
    7     }else{
    8     int h_chroma_shift, v_chroma_shift;
    9     - int pixel_size;
    10     -
    11     + int pixel_size, size[3];
    12     + AVPicture picture;
    13     +
    14     avcodec_get_chroma_sub_sample(s->pix_fmt, &h_chroma_shift, &v_chroma_shift);
    15     -
    16     - switch(s->pix_fmt){
    17     - case PIX_FMT_RGB555:
    18     - case PIX_FMT_RGB565:
    19     - case PIX_FMT_YUV422:
    20     - case PIX_FMT_UYVY422:
    21     - pixel_size=2;
    22     - break;
    23     - case PIX_FMT_RGB24:
    24     - case PIX_FMT_BGR24:
    25     - pixel_size=3;
    26     - break;
    27     - case PIX_FMT_RGBA32:
    28     - pixel_size=4;
    29     - break;
    30     - default:
    31     - pixel_size=1;
    32     - }
    33    
    34     avcodec_align_dimensions(s, &w, &h);
    35    
    36     @@ -320,21 +303,39 @@ int avcodec_default_get_buffer(AVCodecCo
    37     w+= EDGE_WIDTH*2;
    38     h+= EDGE_WIDTH*2;
    39     }
    40     -
    41     + avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
    42     + pixel_size= picture.linesize[0]*8 / w;
    43     +//av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", (int)picture.data[1], w, h, s->pix_fmt);
    44     + assert(pixel_size>=1);
    45     + //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it
    46     + if(pixel_size == 3*8)
    47     + w= ALIGN(w, STRIDE_ALIGN<<h_chroma_shift);
    48     + else
    49     + w= ALIGN(pixel_size*w, STRIDE_ALIGN<<(h_chroma_shift+3)) / pixel_size;
    50     + size[1] = avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
    51     + size[0] = picture.linesize[0] * h;
    52     + size[1] -= size[0];
    53     + if(picture.data[2])
    54     + size[1]= size[2]= size[1]/2;
    55     + else
    56     + size[2]= 0;
    57     +
    58     buf->last_pic_num= -256*256*256*64;
    59     + memset(buf->base, 0, sizeof(buf->base));
    60     + memset(buf->data, 0, sizeof(buf->data));
    61    
    62     - for(i=0; i<3; i++){
    63     + for(i=0; i<3 && size[i]; i++){
    64     const int h_shift= i==0 ? 0 : h_chroma_shift;
    65     const int v_shift= i==0 ? 0 : v_chroma_shift;
    66    
    67     - //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it
    68     - buf->linesize[i]= ALIGN(pixel_size*w>>h_shift, STRIDE_ALIGN<<(h_chroma_shift-h_shift));
    69     + buf->linesize[i]= picture.linesize[i];
    70    
    71     - buf->base[i]= av_malloc((buf->linesize[i]*h>>v_shift)+16); //FIXME 16
    72     + buf->base[i]= av_malloc(size[i]+16); //FIXME 16
    73     if(buf->base[i]==NULL) return -1;
    74     - memset(buf->base[i], 128, buf->linesize[i]*h>>v_shift);
    75     -
    76     - if(s->flags&CODEC_FLAG_EMU_EDGE)
    77     + memset(buf->base[i], 128, size[i]);
    78     +
    79     + // no edge if EDEG EMU or not planar YUV, we check for PAL8 redundantly to protect against a exploitable bug regression ...
    80     + if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2])
    81     buf->data[i] = buf->base[i];
    82     else
    83     buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN);