diff options
| author | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2008-08-25 13:50:32 +0100 |
|---|---|---|
| committer | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2008-08-25 13:50:32 +0100 |
| commit | 104278cb4cf805fc875ebd49b4a4b8f369b91c7d (patch) | |
| tree | 5326778da99efa81163a7ffb7c31cf90041d88de | |
| parent | d122dee9253731cf50428228d1b670739d874eb2 (diff) | |
| download | xine-lib-104278cb4cf805fc875ebd49b4a4b8f369b91c7d.tar.gz xine-lib-104278cb4cf805fc875ebd49b4a4b8f369b91c7d.tar.bz2 | |
Fix a possible heap buffer overflow in the ffmpeg video decoder.
This could happen where the actual image height is not a multiple of 16.
--HG--
extra : transplant_source : %10%BD%8C%FE%BA%CA0%D5k%8A%9CH%DD%B1-%A7E4%CD%E6
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | src/combined/ffmpeg/ff_video_decoder.c | 24 |
2 files changed, 15 insertions, 10 deletions
@@ -1,6 +1,7 @@ xine-lib (1.1.16) 2008-??-?? * Security fixes: - Integer overflows in the ffmpeg audio decoder and the CDDA server. + - Heap buffer overflow in the ffmpeg video decoder. * Fix reported compilation failures (with C++ programs). * Fix CDDB access in 64-bit builds. diff --git a/src/combined/ffmpeg/ff_video_decoder.c b/src/combined/ffmpeg/ff_video_decoder.c index ac101d77e..e643708df 100644 --- a/src/combined/ffmpeg/ff_video_decoder.c +++ b/src/combined/ffmpeg/ff_video_decoder.c @@ -606,6 +606,10 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { su = this->av_frame->data[1]; sv = this->av_frame->data[2]; + /* Some segfaults & heap corruption have been observed with img->height, + * so we use this->bih.biHeight instead (which is the displayed height) + */ + if (this->context->pix_fmt == PIX_FMT_YUV410P) { yuv9_to_yv12( @@ -626,7 +630,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { img->pitches[2], /* width x height */ img->width, - img->height); + this->bih.biHeight); } else if (this->context->pix_fmt == PIX_FMT_YUV411P) { @@ -648,7 +652,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { img->pitches[2], /* width x height */ img->width, - img->height); + this->bih.biHeight); } else if (this->context->pix_fmt == PIX_FMT_RGBA32) { @@ -656,7 +660,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { uint32_t *argb_pixels; uint32_t argb; - for(y = 0; y < img->height; y++) { + for(y = 0; y < this->bih.biHeight; y++) { argb_pixels = (uint32_t *)sy; for(x = 0; x < img->width; x++) { uint8_t r, g, b; @@ -684,7 +688,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { uint8_t *src; uint16_t pixel16; - for(y = 0; y < img->height; y++) { + for(y = 0; y < this->bih.biHeight; y++) { src = sy; for(x = 0; x < img->width; x++) { uint8_t r, g, b; @@ -713,7 +717,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { uint8_t *src; uint16_t pixel16; - for(y = 0; y < img->height; y++) { + for(y = 0; y < this->bih.biHeight; y++) { src = sy; for(x = 0; x < img->width; x++) { uint8_t r, g, b; @@ -741,7 +745,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { int x, plane_ptr = 0; uint8_t *src; - for(y = 0; y < img->height; y++) { + for(y = 0; y < this->bih.biHeight; y++) { src = sy; for(x = 0; x < img->width; x++) { uint8_t r, g, b; @@ -765,7 +769,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { int x, plane_ptr = 0; uint8_t *src; - for(y = 0; y < img->height; y++) { + for(y = 0; y < this->bih.biHeight; y++) { src = sy; for(x = 0; x < img->width; x++) { uint8_t r, g, b; @@ -808,7 +812,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { v_palette[x] = COMPUTE_V(r, g, b); } - for(y = 0; y < img->height; y++) { + for(y = 0; y < this->bih.biHeight; y++) { src = sy; for(x = 0; x < img->width; x++) { pixel = *src++; @@ -825,7 +829,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { } else { - for (y=0; y<img->height; y++) { + for (y = 0; y < this->bih.biHeight; y++) { xine_fast_memcpy (dy, sy, img->width); dy += img->pitches[0]; @@ -833,7 +837,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) { sy += this->av_frame->linesize[0]; } - for (y=0; y<(img->height/2); y++) { + for (y = 0; y < this->bih.biHeight / 2; y++) { if (this->context->pix_fmt != PIX_FMT_YUV444P) { |