[FFmpeg-cvslog] vp8: change mv_{min,max}.{x,y} type to int
    Andreas Cadhalpun 
    git at videolan.org
       
    Wed Jun 17 22:09:35 CEST 2015
    
    
  
ffmpeg | branch: release/2.2 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Mon Jun  8 22:38:29 2015 +0200| [fabb394a2dd0d1ab838dd82a1e1eb9151805a54e] | committer: Michael Niedermayer
vp8: change mv_{min,max}.{x,y} type to int
If one of the dimensions is larger than 8176, s->mb_width or
s->mb_height is larger than 511, leading to an int16_t overflow of
s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax.
Changing the type to int avoids the overflow and has no negative
effect, because s->mv_max is only used in clamp_mv for clipping.
Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't
increase the absolute value. The input to av_clip is an int16_t, and
thus the output fits into int16_t as well.
For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range
before use.
Reviewed-by: Ronald S. Bultje <rsbultje at gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit 6fdbaa2b7fb56623ab2163f861952bc1408c39b3)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fabb394a2dd0d1ab838dd82a1e1eb9151805a54e
---
 libavcodec/vp8.c |    6 ++++--
 libavcodec/vp8.h |    9 +++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index 296eb98..8d4d1a8 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -439,8 +439,10 @@ static int decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_size)
 
 static av_always_inline void clamp_mv(VP8Context *s, VP56mv *dst, const VP56mv *src)
 {
-    dst->x = av_clip(src->x, s->mv_min.x, s->mv_max.x);
-    dst->y = av_clip(src->y, s->mv_min.y, s->mv_max.y);
+    dst->x = av_clip(src->x, av_clip(s->mv_min.x, INT16_MIN, INT16_MAX),
+                             av_clip(s->mv_max.x, INT16_MIN, INT16_MAX));
+    dst->y = av_clip(src->y, av_clip(s->mv_min.y, INT16_MIN, INT16_MAX),
+                             av_clip(s->mv_max.y, INT16_MIN, INT16_MAX));
 }
 
 /**
diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h
index 2f00298..19ceb36 100644
--- a/libavcodec/vp8.h
+++ b/libavcodec/vp8.h
@@ -133,6 +133,11 @@ typedef struct VP8Frame {
     AVBufferRef *seg_map;
 } VP8Frame;
 
+typedef struct VP8intmv {
+    int x;
+    int y;
+} VP8intmv;
+
 #define MAX_THREADS 8
 typedef struct VP8Context {
     VP8ThreadData *thread_data;
@@ -151,8 +156,8 @@ typedef struct VP8Context {
     uint8_t deblock_filter;
     uint8_t mbskip_enabled;
     uint8_t profile;
-    VP56mv mv_min;
-    VP56mv mv_max;
+    VP8intmv mv_min;
+    VP8intmv mv_max;
 
     int8_t sign_bias[4]; ///< one state [0, 1] per ref frame type
     int ref_count[3];
    
    
More information about the ffmpeg-cvslog
mailing list