Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before |
| 2 | using the pointers |
| 3 | |
| 4 | Fixes out of array accesses |
| 5 | Fixes Ticket2850 |
| 6 | |
| 7 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> |
| 8 | (cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34) |
| 9 | |
| 10 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> |
| 11 | |
| 12 | Upstream-Status: Backport |
| 13 | |
| 14 | Singed-off-by: Yue Tao <yue.tao@windriver.com> |
| 15 | |
| 16 | --- |
| 17 | libavcodec/rpza.c | 8 ++++---- |
| 18 | 1 files changed, 4 insertions(+), 4 deletions(-) |
| 19 | |
| 20 | diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c |
| 21 | index 635b406..f291a95 100644 |
| 22 | --- a/gst-libs/ext/libav/libavcodec/rpza.c |
| 23 | +++ b/gst-libs/ext/libav/libavcodec/rpza.c |
| 24 | @@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s) |
| 25 | unsigned short *pixels = (unsigned short *)s->frame.data[0]; |
| 26 | |
| 27 | int row_ptr = 0; |
| 28 | - int pixel_ptr = 0; |
| 29 | + int pixel_ptr = -4; |
| 30 | int block_ptr; |
| 31 | int pixel_x, pixel_y; |
| 32 | int total_blocks; |
| 33 | @@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s) |
| 34 | colorA = AV_RB16 (&s->buf[stream_ptr]); |
| 35 | stream_ptr += 2; |
| 36 | while (n_blocks--) { |
| 37 | + ADVANCE_BLOCK() |
| 38 | block_ptr = row_ptr + pixel_ptr; |
| 39 | for (pixel_y = 0; pixel_y < 4; pixel_y++) { |
| 40 | for (pixel_x = 0; pixel_x < 4; pixel_x++){ |
| 41 | @@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s) |
| 42 | } |
| 43 | block_ptr += row_inc; |
| 44 | } |
| 45 | - ADVANCE_BLOCK(); |
| 46 | } |
| 47 | break; |
| 48 | |
| 49 | @@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s) |
| 50 | color4[2] |= ((21 * ta + 11 * tb) >> 5); |
| 51 | |
| 52 | while (n_blocks--) { |
| 53 | + ADVANCE_BLOCK(); |
| 54 | block_ptr = row_ptr + pixel_ptr; |
| 55 | for (pixel_y = 0; pixel_y < 4; pixel_y++) { |
| 56 | index = s->buf[stream_ptr++]; |
| 57 | @@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s) |
| 58 | } |
| 59 | block_ptr += row_inc; |
| 60 | } |
| 61 | - ADVANCE_BLOCK(); |
| 62 | } |
| 63 | break; |
| 64 | |
| 65 | /* Fill block with 16 colors */ |
| 66 | case 0x00: |
| 67 | + ADVANCE_BLOCK(); |
| 68 | block_ptr = row_ptr + pixel_ptr; |
| 69 | for (pixel_y = 0; pixel_y < 4; pixel_y++) { |
| 70 | for (pixel_x = 0; pixel_x < 4; pixel_x++){ |
| 71 | @@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s) |
| 72 | } |
| 73 | block_ptr += row_inc; |
| 74 | } |
| 75 | - ADVANCE_BLOCK(); |
| 76 | break; |
| 77 | |
| 78 | /* Unknown opcode */ |
| 79 | -- |
| 80 | 1.7.5.4 |
| 81 | |