Mercurial > libavcodec.hg
comparison indeo3.c @ 9927:f954ea120c78 libavcodec
Reallocate internal buffer when coded frame size changes.
Fixes out-of-bounds reads and writes with i32/smclocki32.avi.1.0 from issue 1240.
| author | reimar |
|---|---|
| date | Mon, 06 Jul 2009 16:48:23 +0000 |
| parents | 773041579748 |
| children | 16330a3b573b |
comparison
equal
deleted
inserted
replaced
| 9926:773041579748 | 9927:f954ea120c78 |
|---|---|
| 105 chroma_pixels = chroma_width * chroma_height, | 105 chroma_pixels = chroma_width * chroma_height, |
| 106 i; | 106 i; |
| 107 unsigned int bufsize = luma_pixels * 2 + luma_width * 3 + | 107 unsigned int bufsize = luma_pixels * 2 + luma_width * 3 + |
| 108 (chroma_pixels + chroma_width) * 4; | 108 (chroma_pixels + chroma_width) * 4; |
| 109 | 109 |
| 110 av_freep(&s->buf); | |
| 110 if(!(s->buf = av_malloc(bufsize))) | 111 if(!(s->buf = av_malloc(bufsize))) |
| 111 return AVERROR(ENOMEM); | 112 return AVERROR(ENOMEM); |
| 112 s->iv_frame[0].y_w = s->iv_frame[1].y_w = luma_width; | 113 s->iv_frame[0].y_w = s->iv_frame[1].y_w = luma_width; |
| 113 s->iv_frame[0].y_h = s->iv_frame[1].y_h = luma_height; | 114 s->iv_frame[0].y_h = s->iv_frame[1].y_h = luma_height; |
| 114 s->iv_frame[0].uv_w = s->iv_frame[1].uv_w = chroma_width; | 115 s->iv_frame[0].uv_w = s->iv_frame[1].uv_w = chroma_width; |
| 995 image_height = bytestream_get_le16(&buf_pos); | 996 image_height = bytestream_get_le16(&buf_pos); |
| 996 image_width = bytestream_get_le16(&buf_pos); | 997 image_width = bytestream_get_le16(&buf_pos); |
| 997 | 998 |
| 998 if(avcodec_check_dimensions(avctx, image_width, image_height)) | 999 if(avcodec_check_dimensions(avctx, image_width, image_height)) |
| 999 return -1; | 1000 return -1; |
| 1001 if (image_width != avctx->width || image_height != avctx->height) { | |
| 1002 int ret; | |
| 1003 avcodec_set_dimensions(avctx, image_width, image_height); | |
| 1004 s->width = avctx->width; | |
| 1005 s->height = avctx->height; | |
| 1006 ret = iv_alloc_frames(s); | |
| 1007 if (ret < 0) { | |
| 1008 s->width = s->height = 0; | |
| 1009 return ret; | |
| 1010 } | |
| 1011 } | |
| 1000 | 1012 |
| 1001 chroma_height = ((image_height >> 2) + 3) & 0x7ffc; | 1013 chroma_height = ((image_height >> 2) + 3) & 0x7ffc; |
| 1002 chroma_width = ((image_width >> 2) + 3) & 0x7ffc; | 1014 chroma_width = ((image_width >> 2) + 3) & 0x7ffc; |
| 1003 y_offset = bytestream_get_le32(&buf_pos); | 1015 y_offset = bytestream_get_le32(&buf_pos); |
| 1004 v_offset = bytestream_get_le32(&buf_pos); | 1016 v_offset = bytestream_get_le32(&buf_pos); |