[FFmpeg-cvslog] avcodec/pngenc: fix invalid read in sub filter.
Clément Bœsch
git at videolan.org
Sun Feb 23 20:44:43 CET 2014
ffmpeg | branch: master | Clément Bœsch <u at pkh.me> | Sun Feb 23 20:11:30 2014 +0100| [57ec555e8ef3c5ef1d77d48dc7cc868e56ddadc9] | committer: Clément Bœsch
avcodec/pngenc: fix invalid read in sub filter.
First pixel was computed based on invalid address read, and then
corrected by the following memcpy. After the commit, it's not computed
anymore, and memcpy fills the appropriate area.
Fixes Ticket #3387
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=57ec555e8ef3c5ef1d77d48dc7cc868e56ddadc9
---
libavcodec/pngenc.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c
index bf61be1..35a9592 100644
--- a/libavcodec/pngenc.c
+++ b/libavcodec/pngenc.c
@@ -113,6 +113,22 @@ static void sub_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, i
}
}
+static void sub_left_prediction(DSPContext *dsp, uint8_t *dst, const uint8_t *src, int bpp, int size)
+{
+ const uint8_t *src1 = src + bpp;
+ const uint8_t *src2 = src;
+ int x, unaligned_w;
+
+ memcpy(dst, src, bpp);
+ dst += bpp;
+ size -= bpp;
+ unaligned_w = FFMIN(32 - bpp, size);
+ for (x = 0; x < unaligned_w; x++)
+ *dst++ = *src1++ - *src2++;
+ size -= unaligned_w;
+ dsp->diff_bytes(dst, src1, src2, size);
+}
+
static void png_filter_row(DSPContext *dsp, uint8_t *dst, int filter_type,
uint8_t *src, uint8_t *top, int size, int bpp)
{
@@ -123,8 +139,7 @@ static void png_filter_row(DSPContext *dsp, uint8_t *dst, int filter_type,
memcpy(dst, src, size);
break;
case PNG_FILTER_VALUE_SUB:
- dsp->diff_bytes(dst, src, src-bpp, size);
- memcpy(dst, src, bpp);
+ sub_left_prediction(dsp, dst, src, bpp, size);
break;
case PNG_FILTER_VALUE_UP:
dsp->diff_bytes(dst, src, top, size);
More information about the ffmpeg-cvslog
mailing list