vlc/vlc-3.0 | branch: master | Steve Lhomme <[email protected]> | Wed Mar 21 11:09:35 2018 +0100| [f18f5e6c0611165248bff15281ad33318599c5ba] | committer: Hugo Beauzée-Luyssen
chroma: copy: fix buffer overrun when the destination pitch is smaller than the src Fixes #20103 (cherry picked from commit cdbd28fa78eae03f4b62fc570a72bbfa017b6062) Signed-off-by: Hugo Beauzée-Luyssen <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=f18f5e6c0611165248bff15281ad33318599c5ba --- modules/video_chroma/copy.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/video_chroma/copy.c b/modules/video_chroma/copy.c index d4358b441a..fa1616a372 100644 --- a/modules/video_chroma/copy.c +++ b/modules/video_chroma/copy.c @@ -466,7 +466,8 @@ static void SSE_CopyPlane(uint8_t *dst, size_t dst_pitch, uint8_t *cache, size_t cache_size, unsigned height, int bitshift) { - const unsigned w16 = (src_pitch+15) & ~15; + const size_t copy_pitch = __MIN(src_pitch, dst_pitch); + const unsigned w16 = (copy_pitch+15) & ~15; const unsigned hstep = cache_size / w16; assert(hstep > 0); @@ -481,7 +482,7 @@ static void SSE_CopyPlane(uint8_t *dst, size_t dst_pitch, CopyFromUswc(cache, w16, src, src_pitch, src_pitch, hblock, bitshift); /* Copy from our cache to the destination */ - Copy2d(dst, dst_pitch, cache, w16, src_pitch, hblock); + Copy2d(dst, dst_pitch, cache, w16, copy_pitch, hblock); /* */ src += src_pitch * hblock; @@ -610,6 +611,7 @@ static void CopyPlane(uint8_t *dst, size_t dst_pitch, const uint8_t *src, size_t src_pitch, unsigned height, int bitshift) { + const size_t copy_pitch = __MIN(src_pitch, dst_pitch); if (bitshift != 0) { for (unsigned y = 0; y < height; y++) @@ -618,20 +620,20 @@ static void CopyPlane(uint8_t *dst, size_t dst_pitch, const uint16_t *src16 = (const uint16_t *) src; if (bitshift > 0) - for (unsigned x = 0; x < (src_pitch / 2); x++) + for (unsigned x = 0; x < (copy_pitch / 2); x++) *dst16++ = (*src16++) >> (bitshift & 0xf); else - for (unsigned x = 0; x < (src_pitch / 2); x++) + for (unsigned x = 0; x < (copy_pitch / 2); x++) *dst16++ = (*src16++) << ((-bitshift) & 0xf); src += src_pitch; dst += dst_pitch; } } else if (src_pitch == dst_pitch) - memcpy(dst, src, src_pitch * height); + memcpy(dst, src, copy_pitch * height); else for (unsigned y = 0; y < height; y++) { - memcpy(dst, src, src_pitch); + memcpy(dst, src, copy_pitch); src += src_pitch; dst += dst_pitch; } _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
