cmdutis.c's alloc_buffer() uses aligned to 32 width plus 2 edges of 32
pixels as linesize. emu_edge_buffer has to work with the same stride.
This makes only a difference for > 8 bit per pixel bit depths since we
always allocate for 16 bit per pixel.
Fixes fuzzed sample nasa-8s2.ts_s244342.
---
libavcodec/mpegvideo.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index 773c9e2..fea84fe 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -418,16 +418,19 @@ static int init_duplicate_context(MpegEncContext *s,
MpegEncContext *base)
int c_size = s->mb_stride * (s->mb_height + 1);
int yc_size = y_size + 2 * c_size;
int i;
+ /* (width aligned to 32 + 2 edges of 32) * max_byte_per_pixel */
+ int max_linesize = (FFALIGN(s->width, 32) + 2 * 32) * 2;
// edge emu needs blocksize + filter length - 1
// (= 17x17 for halfpel / 21x21 for h264)
- FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer,
- (s->width + 64) * 2 * 21 * 2, fail); // (width + edge
+ align)*interlaced*MBsize*tolerance
+ // linesize * interlaced * MBsize
+ FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, max_linesize * 2 * 21,
+ fail);
- // FIXME should be linesize instead of s->width * 2
+ // FIXME should be linesize instead of approximation
// but that is not known before get_buffer()
- FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad,
- (s->width + 64) * 4 * 16 * 2 * sizeof(uint8_t), fail)
+ FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, max_linesize * 2 * 16 * 2,
+ fail)
s->me.temp = s->me.scratchpad;
s->rd_scratchpad = s->me.scratchpad;
s->b_scratchpad = s->me.scratchpad;
--
1.7.12.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
