Contents of /trunk/xine-lib/patches/xine-lib-1.1.1-CVE-2005-4048.patch
Parent Directory | Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 3406 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 3406 byte(s)
-import
1 | Index: xine-lib-1.1.1/src/libffmpeg/libavcodec/utils.c |
2 | =================================================================== |
3 | --- xine-lib-1.1.1.orig/src/libffmpeg/libavcodec/utils.c |
4 | +++ xine-lib-1.1.1/src/libffmpeg/libavcodec/utils.c |
5 | @@ -292,27 +292,10 @@ int avcodec_default_get_buffer(AVCodecCo |
6 | buf->last_pic_num= *picture_number; |
7 | }else{ |
8 | int h_chroma_shift, v_chroma_shift; |
9 | - int pixel_size; |
10 | - |
11 | + int pixel_size, size[3]; |
12 | + AVPicture picture; |
13 | + |
14 | avcodec_get_chroma_sub_sample(s->pix_fmt, &h_chroma_shift, &v_chroma_shift); |
15 | - |
16 | - switch(s->pix_fmt){ |
17 | - case PIX_FMT_RGB555: |
18 | - case PIX_FMT_RGB565: |
19 | - case PIX_FMT_YUV422: |
20 | - case PIX_FMT_UYVY422: |
21 | - pixel_size=2; |
22 | - break; |
23 | - case PIX_FMT_RGB24: |
24 | - case PIX_FMT_BGR24: |
25 | - pixel_size=3; |
26 | - break; |
27 | - case PIX_FMT_RGBA32: |
28 | - pixel_size=4; |
29 | - break; |
30 | - default: |
31 | - pixel_size=1; |
32 | - } |
33 | |
34 | avcodec_align_dimensions(s, &w, &h); |
35 | |
36 | @@ -320,21 +303,39 @@ int avcodec_default_get_buffer(AVCodecCo |
37 | w+= EDGE_WIDTH*2; |
38 | h+= EDGE_WIDTH*2; |
39 | } |
40 | - |
41 | + avpicture_fill(&picture, NULL, s->pix_fmt, w, h); |
42 | + pixel_size= picture.linesize[0]*8 / w; |
43 | +//av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", (int)picture.data[1], w, h, s->pix_fmt); |
44 | + assert(pixel_size>=1); |
45 | + //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it |
46 | + if(pixel_size == 3*8) |
47 | + w= ALIGN(w, STRIDE_ALIGN<<h_chroma_shift); |
48 | + else |
49 | + w= ALIGN(pixel_size*w, STRIDE_ALIGN<<(h_chroma_shift+3)) / pixel_size; |
50 | + size[1] = avpicture_fill(&picture, NULL, s->pix_fmt, w, h); |
51 | + size[0] = picture.linesize[0] * h; |
52 | + size[1] -= size[0]; |
53 | + if(picture.data[2]) |
54 | + size[1]= size[2]= size[1]/2; |
55 | + else |
56 | + size[2]= 0; |
57 | + |
58 | buf->last_pic_num= -256*256*256*64; |
59 | + memset(buf->base, 0, sizeof(buf->base)); |
60 | + memset(buf->data, 0, sizeof(buf->data)); |
61 | |
62 | - for(i=0; i<3; i++){ |
63 | + for(i=0; i<3 && size[i]; i++){ |
64 | const int h_shift= i==0 ? 0 : h_chroma_shift; |
65 | const int v_shift= i==0 ? 0 : v_chroma_shift; |
66 | |
67 | - //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it |
68 | - buf->linesize[i]= ALIGN(pixel_size*w>>h_shift, STRIDE_ALIGN<<(h_chroma_shift-h_shift)); |
69 | + buf->linesize[i]= picture.linesize[i]; |
70 | |
71 | - buf->base[i]= av_malloc((buf->linesize[i]*h>>v_shift)+16); //FIXME 16 |
72 | + buf->base[i]= av_malloc(size[i]+16); //FIXME 16 |
73 | if(buf->base[i]==NULL) return -1; |
74 | - memset(buf->base[i], 128, buf->linesize[i]*h>>v_shift); |
75 | - |
76 | - if(s->flags&CODEC_FLAG_EMU_EDGE) |
77 | + memset(buf->base[i], 128, size[i]); |
78 | + |
79 | + // no edge if EDEG EMU or not planar YUV, we check for PAL8 redundantly to protect against a exploitable bug regression ... |
80 | + if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2]) |
81 | buf->data[i] = buf->base[i]; |
82 | else |
83 | buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN); |