Mercurial > libavcodec.hg
comparison utils.c @ 5522:acaaff7b6fb8 libavcodec
ensure that default_get_buffer() doesnt reuse images if the dimension or
pix_fmt changed
fixes heap overflow, possibly exploitable
| author | michael |
|---|---|
| date | Fri, 10 Aug 2007 19:28:28 +0000 |
| parents | 8a28860d54ba |
| children | 3d10c3e84f96 |
comparison
equal
deleted
inserted
replaced
| 5521:6232e9874f46 | 5522:acaaff7b6fb8 |
|---|---|
| 145 typedef struct InternalBuffer{ | 145 typedef struct InternalBuffer{ |
| 146 int last_pic_num; | 146 int last_pic_num; |
| 147 uint8_t *base[4]; | 147 uint8_t *base[4]; |
| 148 uint8_t *data[4]; | 148 uint8_t *data[4]; |
| 149 int linesize[4]; | 149 int linesize[4]; |
| 150 int width, height; | |
| 151 enum PixelFormat pix_fmt; | |
| 150 }InternalBuffer; | 152 }InternalBuffer; |
| 151 | 153 |
| 152 #define INTERNAL_BUFFER_SIZE 32 | 154 #define INTERNAL_BUFFER_SIZE 32 |
| 153 | 155 |
| 154 #define ALIGN(x, a) (((x)+(a)-1)&~((a)-1)) | 156 #define ALIGN(x, a) (((x)+(a)-1)&~((a)-1)) |
| 249 | 251 |
| 250 buf= &((InternalBuffer*)s->internal_buffer)[s->internal_buffer_count]; | 252 buf= &((InternalBuffer*)s->internal_buffer)[s->internal_buffer_count]; |
| 251 picture_number= &(((InternalBuffer*)s->internal_buffer)[INTERNAL_BUFFER_SIZE-1]).last_pic_num; //FIXME ugly hack | 253 picture_number= &(((InternalBuffer*)s->internal_buffer)[INTERNAL_BUFFER_SIZE-1]).last_pic_num; //FIXME ugly hack |
| 252 (*picture_number)++; | 254 (*picture_number)++; |
| 253 | 255 |
| 256 if(buf->base[0] && (buf->width != w || buf->height != h || buf->pix_fmt != s->pix_fmt)){ | |
| 257 for(i=0; i<4; i++){ | |
| 258 av_freep(&buf->base[i]); | |
| 259 buf->data[i]= NULL; | |
| 260 } | |
| 261 } | |
| 262 | |
| 254 if(buf->base[0]){ | 263 if(buf->base[0]){ |
| 255 pic->age= *picture_number - buf->last_pic_num; | 264 pic->age= *picture_number - buf->last_pic_num; |
| 256 buf->last_pic_num= *picture_number; | 265 buf->last_pic_num= *picture_number; |
| 257 }else{ | 266 }else{ |
| 258 int h_chroma_shift, v_chroma_shift; | 267 int h_chroma_shift, v_chroma_shift; |
| 304 if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2]) | 313 if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2]) |
| 305 buf->data[i] = buf->base[i]; | 314 buf->data[i] = buf->base[i]; |
| 306 else | 315 else |
| 307 buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN); | 316 buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN); |
| 308 } | 317 } |
| 318 buf->width = s->width; | |
| 319 buf->height = s->height; | |
| 320 buf->pix_fmt= s->pix_fmt; | |
| 309 pic->age= 256*256*256*64; | 321 pic->age= 256*256*256*64; |
| 310 } | 322 } |
| 311 pic->type= FF_BUFFER_TYPE_INTERNAL; | 323 pic->type= FF_BUFFER_TYPE_INTERNAL; |
| 312 | 324 |
| 313 for(i=0; i<4; i++){ | 325 for(i=0; i<4; i++){ |