diff options
| author | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2008-08-25 13:50:32 +0100 | 
|---|---|---|
| committer | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2008-08-25 13:50:32 +0100 | 
| commit | 104278cb4cf805fc875ebd49b4a4b8f369b91c7d (patch) | |
| tree | 5326778da99efa81163a7ffb7c31cf90041d88de | |
| parent | d122dee9253731cf50428228d1b670739d874eb2 (diff) | |
| download | xine-lib-104278cb4cf805fc875ebd49b4a4b8f369b91c7d.tar.gz xine-lib-104278cb4cf805fc875ebd49b4a4b8f369b91c7d.tar.bz2 | |
Fix a possible heap buffer overflow in the ffmpeg video decoder.
This could happen where the actual image height is not a multiple of 16.
--HG--
extra : transplant_source : %10%BD%8C%FE%BA%CA0%D5k%8A%9CH%DD%B1-%A7E4%CD%E6
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | src/combined/ffmpeg/ff_video_decoder.c | 24 | 
2 files changed, 15 insertions, 10 deletions
| @@ -1,6 +1,7 @@  xine-lib (1.1.16) 2008-??-??    * Security fixes:      - Integer overflows in the ffmpeg audio decoder and the CDDA server. +    - Heap buffer overflow in the ffmpeg video decoder.    * Fix reported compilation failures (with C++ programs).    * Fix CDDB access in 64-bit builds. diff --git a/src/combined/ffmpeg/ff_video_decoder.c b/src/combined/ffmpeg/ff_video_decoder.c index ac101d77e..e643708df 100644 --- a/src/combined/ffmpeg/ff_video_decoder.c +++ b/src/combined/ffmpeg/ff_video_decoder.c @@ -606,6 +606,10 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {    su = this->av_frame->data[1];    sv = this->av_frame->data[2]; +  /* Some segfaults & heap corruption have been observed with img->height, +   * so we use this->bih.biHeight instead (which is the displayed height) +   */ +    if (this->context->pix_fmt == PIX_FMT_YUV410P) {      yuv9_to_yv12( @@ -626,7 +630,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {        img->pitches[2],       /* width x height */        img->width, -      img->height); +      this->bih.biHeight);    } else if (this->context->pix_fmt == PIX_FMT_YUV411P) { @@ -648,7 +652,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {        img->pitches[2],       /* width x height */        img->width, -      img->height); +      this->bih.biHeight);    } else if (this->context->pix_fmt == PIX_FMT_RGBA32) { @@ -656,7 +660,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {      uint32_t *argb_pixels;      uint32_t argb; -    for(y = 0; y < img->height; y++) { +    for(y = 0; y < this->bih.biHeight; y++) {        argb_pixels = (uint32_t *)sy;        for(x = 0; x < img->width; x++) {          uint8_t r, g, b; @@ -684,7 +688,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {      uint8_t *src;      uint16_t pixel16; -    for(y = 0; y < img->height; y++) { +    for(y = 0; y < this->bih.biHeight; y++) {        src = sy;        for(x = 0; x < img->width; x++) {          uint8_t r, g, b; @@ -713,7 +717,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {      uint8_t *src;      uint16_t pixel16; -    for(y = 0; y < img->height; y++) { +    for(y = 0; y < this->bih.biHeight; y++) {        src = sy;        for(x = 0; x < img->width; x++) {          uint8_t r, g, b; @@ -741,7 +745,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {      int x, plane_ptr = 0;      uint8_t *src; -    for(y = 0; y < img->height; y++) { +    for(y = 0; y < this->bih.biHeight; y++) {        src = sy;        for(x = 0; x < img->width; x++) {          uint8_t r, g, b; @@ -765,7 +769,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {      int x, plane_ptr = 0;      uint8_t *src; -    for(y = 0; y < img->height; y++) { +    for(y = 0; y < this->bih.biHeight; y++) {        src = sy;        for(x = 0; x < img->width; x++) {          uint8_t r, g, b; @@ -808,7 +812,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {        v_palette[x] = COMPUTE_V(r, g, b);      } -    for(y = 0; y < img->height; y++) { +    for(y = 0; y < this->bih.biHeight; y++) {        src = sy;        for(x = 0; x < img->width; x++) {          pixel = *src++; @@ -825,7 +829,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {    } else { -    for (y=0; y<img->height; y++) { +    for (y = 0; y < this->bih.biHeight; y++) {        xine_fast_memcpy (dy, sy, img->width);        dy += img->pitches[0]; @@ -833,7 +837,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {        sy += this->av_frame->linesize[0];      } -    for (y=0; y<(img->height/2); y++) { +    for (y = 0; y < this->bih.biHeight / 2; y++) {        if (this->context->pix_fmt != PIX_FMT_YUV444P) { | 
