From c23acbaed40101c677dfcfbbfe0d2c230a8e8f44 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Mar 2012 16:01:19 -0800 Subject: Don't use ff_cropTbl[] for IDCT. Results of IDCT can by far outreach the range of ff_cropTbl[], leading to overreads and potentially crashes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/simple_idct_template.c | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) (limited to 'libavcodec/simple_idct_template.c') diff --git a/libavcodec/simple_idct_template.c b/libavcodec/simple_idct_template.c index fdec3aab2b..3c855e3825 100644 --- a/libavcodec/simple_idct_template.c +++ b/libavcodec/simple_idct_template.c @@ -224,50 +224,48 @@ static inline void FUNC(idctSparseColPut)(pixel *dest, int line_size, DCTELEM *col) { int a0, a1, a2, a3, b0, b1, b2, b3; - INIT_CLIP; IDCT_COLS; - dest[0] = CLIP((a0 + b0) >> COL_SHIFT); + dest[0] = av_clip_pixel((a0 + b0) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a1 + b1) >> COL_SHIFT); + dest[0] = av_clip_pixel((a1 + b1) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a2 + b2) >> COL_SHIFT); + dest[0] = av_clip_pixel((a2 + b2) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a3 + b3) >> COL_SHIFT); + dest[0] = av_clip_pixel((a3 + b3) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a3 - b3) >> COL_SHIFT); + dest[0] = av_clip_pixel((a3 - b3) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a2 - b2) >> COL_SHIFT); + dest[0] = av_clip_pixel((a2 - b2) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a1 - b1) >> COL_SHIFT); + dest[0] = av_clip_pixel((a1 - b1) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a0 - b0) >> COL_SHIFT); + dest[0] = av_clip_pixel((a0 - b0) >> COL_SHIFT); } static inline void FUNC(idctSparseColAdd)(pixel *dest, int line_size, DCTELEM *col) { int a0, a1, a2, a3, b0, b1, b2, b3; - INIT_CLIP; IDCT_COLS; - dest[0] = CLIP(dest[0] + ((a0 + b0) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a0 + b0) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a1 + b1) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a1 + b1) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a2 + b2) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a2 + b2) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a3 + b3) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a3 + b3) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a3 - b3) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a3 - b3) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a2 - b2) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a2 - b2) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a1 - b1) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a1 - b1) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a0 - b0) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a0 - b0) >> COL_SHIFT)); } static inline void FUNC(idctSparseCol)(DCTELEM *col) -- cgit v1.2.1