From c23acbaed40101c677dfcfbbfe0d2c230a8e8f44 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Mon, 5 Mar 2012 16:01:19 -0800
Subject: Don't use ff_cropTbl[] for IDCT.

Results of IDCT can by far outreach the range of ff_cropTbl[], leading
to overreads and potentially crashes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/vp8dsp.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

(limited to 'libavcodec/vp8dsp.c')

diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c
index 86dc42ed37..f6c944328a 100644
--- a/libavcodec/vp8dsp.c
+++ b/libavcodec/vp8dsp.c
@@ -80,7 +80,6 @@ static void vp8_luma_dc_wht_dc_c(DCTELEM block[4][4][16], DCTELEM dc[16])
 static void vp8_idct_add_c(uint8_t *dst, DCTELEM block[16], ptrdiff_t stride)
 {
     int i, t0, t1, t2, t3;
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
     DCTELEM tmp[16];
 
     for (i = 0; i < 4; i++) {
@@ -105,10 +104,10 @@ static void vp8_idct_add_c(uint8_t *dst, DCTELEM block[16], ptrdiff_t stride)
         t2 = MUL_35468(tmp[1*4+i]) - MUL_20091(tmp[3*4+i]);
         t3 = MUL_20091(tmp[1*4+i]) + MUL_35468(tmp[3*4+i]);
 
-        dst[0] = cm[dst[0] + ((t0 + t3 + 4) >> 3)];
-        dst[1] = cm[dst[1] + ((t1 + t2 + 4) >> 3)];
-        dst[2] = cm[dst[2] + ((t1 - t2 + 4) >> 3)];
-        dst[3] = cm[dst[3] + ((t0 - t3 + 4) >> 3)];
+        dst[0] = av_clip_uint8(dst[0] + ((t0 + t3 + 4) >> 3));
+        dst[1] = av_clip_uint8(dst[1] + ((t1 + t2 + 4) >> 3));
+        dst[2] = av_clip_uint8(dst[2] + ((t1 - t2 + 4) >> 3));
+        dst[3] = av_clip_uint8(dst[3] + ((t0 - t3 + 4) >> 3));
         dst += stride;
     }
 }
@@ -116,14 +115,13 @@ static void vp8_idct_add_c(uint8_t *dst, DCTELEM block[16], ptrdiff_t stride)
 static void vp8_idct_dc_add_c(uint8_t *dst, DCTELEM block[16], ptrdiff_t stride)
 {
     int i, dc = (block[0] + 4) >> 3;
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP + dc;
     block[0] = 0;
 
     for (i = 0; i < 4; i++) {
-        dst[0] = cm[dst[0]];
-        dst[1] = cm[dst[1]];
-        dst[2] = cm[dst[2]];
-        dst[3] = cm[dst[3]];
+        dst[0] = av_clip_uint8(dst[0] + dc);
+        dst[1] = av_clip_uint8(dst[1] + dc);
+        dst[2] = av_clip_uint8(dst[2] + dc);
+        dst[3] = av_clip_uint8(dst[3] + dc);
         dst += stride;
     }
 }
-- 
cgit v1.2.3