1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
From 13c13109759090b7f7182480d075e13b36ed8edd Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Sat, 12 Nov 2022 15:19:21 +0100
Subject: [PATCH] avcodec/smcenc: stop accessing out of bounds frame
Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/13c13109759090b7f7182480d075e13b36ed8edd]
Signed-off-by: <narpat.mali@windriver.com>
---
libavcodec/smcenc.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c
index f3d26a4e8d..33549b8ab4 100644
--- a/libavcodec/smcenc.c
+++ b/libavcodec/smcenc.c
@@ -61,6 +61,7 @@ typedef struct SMCContext {
{ \
row_ptr += stride * 4; \
pixel_ptr = row_ptr; \
+ cur_y += 4; \
} \
} \
}
@@ -117,6 +118,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame,
const uint8_t *prev_pixels = (const uint8_t *)s->prev_frame->data[0];
uint8_t *distinct_values = s->distinct_values;
const uint8_t *pixel_ptr, *row_ptr;
+ const int height = frame->height;
const int width = frame->width;
uint8_t block_values[16];
int block_counter = 0;
@@ -125,13 +127,14 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame,
int color_octet_index = 0;
int color_table_index; /* indexes to color pair, quad, or octet tables */
int total_blocks;
+ int cur_y = 0;
memset(s->color_pairs, 0, sizeof(s->color_pairs));
memset(s->color_quads, 0, sizeof(s->color_quads));
memset(s->color_octets, 0, sizeof(s->color_octets));
/* Number of 4x4 blocks in frame. */
- total_blocks = ((frame->width + 3) / 4) * ((frame->height + 3) / 4);
+ total_blocks = ((width + 3) / 4) * ((height + 3) / 4);
pixel_ptr = row_ptr = src_pixels;
@@ -145,11 +148,13 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame,
int cache_index;
int distinct = 0;
int blocks = 0;
+ int frame_y = cur_y;
while (prev_pixels && s->key_frame == 0 && block_counter + inter_skip_blocks < total_blocks) {
+ const int y_size = FFMIN(4, height - cur_y);
int compare = 0;
- for (int y = 0; y < 4; y++) {
+ for (int y = 0; y < y_size; y++) {
const ptrdiff_t offset = pixel_ptr - src_pixels;
const uint8_t *prev_pixel_ptr = prev_pixels + offset;
@@ -170,8 +175,10 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame,
pixel_ptr = xpixel_ptr;
row_ptr = xrow_ptr;
+ cur_y = frame_y;
while (block_counter > 0 && block_counter + intra_skip_blocks < total_blocks) {
+ const int y_size = FFMIN(4, height - cur_y);
const ptrdiff_t offset = pixel_ptr - src_pixels;
const int sy = offset / stride;
const int sx = offset % stride;
@@ -180,7 +187,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame,
const uint8_t *old_pixel_ptr = src_pixels + nx + ny * stride;
int compare = 0;
- for (int y = 0; y < 4; y++) {
+ for (int y = 0; y < y_size; y++) {
compare |= memcmp(old_pixel_ptr + y * stride, pixel_ptr + y * stride, 4);
if (compare)
break;
@@ -197,9 +204,11 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame,
pixel_ptr = xpixel_ptr;
row_ptr = xrow_ptr;
+ cur_y = frame_y;
while (block_counter + coded_blocks < total_blocks && coded_blocks < 256) {
- for (int y = 0; y < 4; y++)
+ const int y_size = FFMIN(4, height - cur_y);
+ for (int y = 0; y < y_size; y++)
memcpy(block_values + y * 4, pixel_ptr + y * stride, 4);
qsort(block_values, 16, sizeof(block_values[0]), smc_cmp_values);
@@ -224,6 +233,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame,
pixel_ptr = xpixel_ptr;
row_ptr = xrow_ptr;
+ cur_y = frame_y;
blocks = coded_blocks;
distinct = coded_distinct;
--
2.34.1
|
