From c23acbaed40101c677dfcfbbfe0d2c230a8e8f44 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Mar 2012 16:01:19 -0800 Subject: Don't use ff_cropTbl[] for IDCT. Results of IDCT can by far outreach the range of ff_cropTbl[], leading to overreads and potentially crashes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/rv34dsp.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'libavcodec/rv34dsp.c') diff --git a/libavcodec/rv34dsp.c b/libavcodec/rv34dsp.c index ce5be93894..4145c4dd85 100644 --- a/libavcodec/rv34dsp.c +++ b/libavcodec/rv34dsp.c @@ -55,7 +55,6 @@ static av_always_inline void rv34_row_transform(int temp[16], DCTELEM *block) */ static void rv34_idct_add_c(uint8_t *dst, ptrdiff_t stride, DCTELEM *block){ int temp[16]; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; int i; rv34_row_transform(temp, block); @@ -67,10 +66,10 @@ static void rv34_idct_add_c(uint8_t *dst, ptrdiff_t stride, DCTELEM *block){ const int z2 = 7* temp[4*1+i] - 17*temp[4*3+i]; const int z3 = 17* temp[4*1+i] + 7*temp[4*3+i]; - dst[0] = cm[ dst[0] + ( (z0 + z3) >> 10 ) ]; - dst[1] = cm[ dst[1] + ( (z1 + z2) >> 10 ) ]; - dst[2] = cm[ dst[2] + ( (z1 - z2) >> 10 ) ]; - dst[3] = cm[ dst[3] + ( (z0 - z3) >> 10 ) ]; + dst[0] = av_clip_uint8( dst[0] + ( (z0 + z3) >> 10 ) ); + dst[1] = av_clip_uint8( dst[1] + ( (z1 + z2) >> 10 ) ); + dst[2] = av_clip_uint8( dst[2] + ( (z1 - z2) >> 10 ) ); + dst[3] = av_clip_uint8( dst[3] + ( (z0 - z3) >> 10 ) ); dst += stride; } @@ -103,15 +102,13 @@ static void rv34_inv_transform_noround_c(DCTELEM *block){ static void rv34_idct_dc_add_c(uint8_t *dst, ptrdiff_t stride, int dc) { - const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; int i, j; - cm += (13*13*dc + 0x200) >> 10; - + dc = (13*13*dc + 0x200) >> 10; for (i = 0; i < 4; i++) { for (j = 0; j < 4; j++) - dst[j] = cm[ dst[j] ]; + dst[j] = av_clip_uint8( dst[j] + dc ); dst += stride; } -- cgit v1.2.3