~ubuntu-branches/ubuntu/feisty/gstreamer0.10-ffmpeg/feisty

« back to all changes in this revision

Viewing changes to debian/patches/32_CVE-2005-4048_avcodec-default-get-buffer-heap-overflow.patch

  • Committer: Bazaar Package Importer
  • Author(s): Sebastien Bacher, debian/control, debian/patches/64_reduce-all-givs-alpha-gcc-4.patch
  • Date: 2005-12-17 23:59:34 UTC
  • Revision ID: james.westby@ubuntu.com-20051217235934-nwlawuiovwzcy06j
Tags: 0.10.0-0ubuntu1
* New upstream version.
  - build the encoders too [debian/rules]
  - don't list libgstreamer0.10-0 as a Depends the shlibs get that
    [debian/control]
  - fix the path of the .la file to clean [debian/rules]
  - no need to run registration at installation with gstreamer0.10
    [debian/gstreamer0.8-ffmpeg.postinst,
     debian/gstreamer0.8-ffmpeg.postrm, debian/gstreamer0.8-ffmpeg.preinst]
  - package name/version updates [debian/changelog, debian/control,
    debian/gstreamer0.8-ffmpeg.install, debian/rules]
  - removed patch shipped with the new upstream code 
    [debian/patches/64_reduce-all-givs-alpha-gcc-4.patch]

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
diff -urN gst-ffmpeg-0.8.7.orig/gst-libs/ext/ffmpeg/libavcodec/utils.c gst-ffmpeg-0.8.7/gst-libs/ext/ffmpeg/libavcodec/utils.c
 
2
--- gst-ffmpeg-0.8.7.orig/gst-libs/ext/ffmpeg/libavcodec/utils.c        2005-10-21 16:33:09.000000000 +0200
 
3
+++ gst-ffmpeg-0.8.7/gst-libs/ext/ffmpeg/libavcodec/utils.c     2005-12-15 20:37:21.000000000 +0100
 
4
@@ -292,27 +292,10 @@
 
5
         buf->last_pic_num= *picture_number;
 
6
     }else{
 
7
         int h_chroma_shift, v_chroma_shift;
 
8
-        int pixel_size;
 
9
-        
 
10
+        int pixel_size, size[3];
 
11
+        AVPicture picture;
 
12
+
 
13
         avcodec_get_chroma_sub_sample(s->pix_fmt, &h_chroma_shift, &v_chroma_shift);
 
14
-        
 
15
-        switch(s->pix_fmt){
 
16
-        case PIX_FMT_RGB555:
 
17
-        case PIX_FMT_RGB565:
 
18
-        case PIX_FMT_YUV422:
 
19
-        case PIX_FMT_UYVY422:
 
20
-            pixel_size=2;
 
21
-            break;
 
22
-        case PIX_FMT_RGB24:
 
23
-        case PIX_FMT_BGR24:
 
24
-            pixel_size=3;
 
25
-            break;
 
26
-        case PIX_FMT_RGBA32:
 
27
-            pixel_size=4;
 
28
-            break;
 
29
-        default:
 
30
-            pixel_size=1;
 
31
-        }
 
32
 
 
33
         avcodec_align_dimensions(s, &w, &h);
 
34
             
 
35
@@ -320,21 +303,39 @@
 
36
             w+= EDGE_WIDTH*2;
 
37
             h+= EDGE_WIDTH*2;
 
38
         }
 
39
-        
 
40
+        avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
 
41
+        pixel_size= picture.linesize[0]*8 / w;
 
42
+//av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", (int)picture.data[1], w, h, s->pix_fmt);
 
43
+        assert(pixel_size>=1);
 
44
+            //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it
 
45
+        if(pixel_size == 3*8)
 
46
+            w= ALIGN(w, STRIDE_ALIGN<<h_chroma_shift);
 
47
+        else
 
48
+            w= ALIGN(pixel_size*w, STRIDE_ALIGN<<(h_chroma_shift+3)) / pixel_size;
 
49
+        size[1] = avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
 
50
+        size[0] = picture.linesize[0] * h;
 
51
+        size[1] -= size[0];
 
52
+        if(picture.data[2])
 
53
+            size[1]= size[2]= size[1]/2;
 
54
+        else
 
55
+            size[2]= 0;
 
56
+
 
57
         buf->last_pic_num= -256*256*256*64;
 
58
+        memset(buf->base, 0, sizeof(buf->base));
 
59
+        memset(buf->data, 0, sizeof(buf->data));
 
60
 
 
61
-        for(i=0; i<3; i++){
 
62
+        for(i=0; i<3 && size[i]; i++){
 
63
             const int h_shift= i==0 ? 0 : h_chroma_shift;
 
64
             const int v_shift= i==0 ? 0 : v_chroma_shift;
 
65
 
 
66
-            //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it
 
67
-            buf->linesize[i]= ALIGN(pixel_size*w>>h_shift, STRIDE_ALIGN<<(h_chroma_shift-h_shift)); 
 
68
+            buf->linesize[i]= picture.linesize[i];
 
69
 
 
70
-            buf->base[i]= av_malloc((buf->linesize[i]*h>>v_shift)+16); //FIXME 16
 
71
+            buf->base[i]= av_malloc(size[i]+16); //FIXME 16
 
72
             if(buf->base[i]==NULL) return -1;
 
73
-            memset(buf->base[i], 128, buf->linesize[i]*h>>v_shift);
 
74
-        
 
75
-            if(s->flags&CODEC_FLAG_EMU_EDGE)
 
76
+            memset(buf->base[i], 128, size[i]);
 
77
+
 
78
+            // no edge if EDEG EMU or not planar YUV, we check for PAL8 redundantly to protect against a exploitable bug regression ...
 
79
+            if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2]) 
 
80
                 buf->data[i] = buf->base[i];
 
81
             else
 
82
                 buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN);