Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 74874 Details for
Bug 115760
media-video/mplayer,xmovie : flaw in included ffmpeg (CVE-2005-4048)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
upstream fix
ffmpeg-png-onepixel.patch (text/plain), 3.35 KB, created by
Luca Barbato
on 2005-12-16 05:40:56 UTC
(
hide
)
Description:
upstream fix
Filename:
MIME Type:
Creator:
Luca Barbato
Created:
2005-12-16 05:40:56 UTC
Size:
3.35 KB
patch
obsolete
>Index: libavcodec/utils.c >=================================================================== >RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/utils.c,v >retrieving revision 1.161 >retrieving revision 1.162 >diff -u -r1.161 -r1.162 >--- libavcodec/utils.c 2 Nov 2005 09:18:32 -0000 1.161 >+++ libavcodec/utils.c 2 Dec 2005 00:12:37 -0000 1.162 >@@ -292,27 +292,10 @@ > buf->last_pic_num= *picture_number; > }else{ > int h_chroma_shift, v_chroma_shift; >- int pixel_size; >- >+ int pixel_size, size[3]; >+ AVPicture picture; >+ > avcodec_get_chroma_sub_sample(s->pix_fmt, &h_chroma_shift, &v_chroma_shift); >- >- switch(s->pix_fmt){ >- case PIX_FMT_RGB555: >- case PIX_FMT_RGB565: >- case PIX_FMT_YUV422: >- case PIX_FMT_UYVY422: >- pixel_size=2; >- break; >- case PIX_FMT_RGB24: >- case PIX_FMT_BGR24: >- pixel_size=3; >- break; >- case PIX_FMT_RGBA32: >- pixel_size=4; >- break; >- default: >- pixel_size=1; >- } > > avcodec_align_dimensions(s, &w, &h); > >@@ -320,21 +303,39 @@ > w+= EDGE_WIDTH*2; > h+= EDGE_WIDTH*2; > } >- >+ avpicture_fill(&picture, NULL, s->pix_fmt, w, h); >+ pixel_size= picture.linesize[0]*8 / w; >+//av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", (int)picture.data[1], w, h, s->pix_fmt); >+ assert(pixel_size>=1); >+ //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it >+ if(pixel_size == 3*8) >+ w= ALIGN(w, STRIDE_ALIGN<<h_chroma_shift); >+ else >+ w= ALIGN(pixel_size*w, STRIDE_ALIGN<<(h_chroma_shift+3)) / pixel_size; >+ size[1] = avpicture_fill(&picture, NULL, s->pix_fmt, w, h); >+ size[0] = picture.linesize[0] * h; >+ size[1] -= size[0]; >+ if(picture.data[2]) >+ size[1]= size[2]= size[1]/2; >+ else >+ size[2]= 0; >+ > buf->last_pic_num= -256*256*256*64; >+ memset(buf->base, 0, sizeof(buf->base)); >+ memset(buf->data, 0, sizeof(buf->data)); > >- for(i=0; i<3; i++){ >+ for(i=0; i<3 && size[i]; i++){ > const int h_shift= i==0 ? 0 : h_chroma_shift; > const int v_shift= i==0 ? 0 : v_chroma_shift; > >- //FIXME next ensures that linesize= 2^x uvlinesize, thats needed because some MC code assumes it >- buf->linesize[i]= ALIGN(pixel_size*w>>h_shift, STRIDE_ALIGN<<(h_chroma_shift-h_shift)); >+ buf->linesize[i]= picture.linesize[i]; > >- buf->base[i]= av_malloc((buf->linesize[i]*h>>v_shift)+16); //FIXME 16 >+ buf->base[i]= av_malloc(size[i]+16); //FIXME 16 > if(buf->base[i]==NULL) return -1; >- memset(buf->base[i], 128, buf->linesize[i]*h>>v_shift); >- >- if(s->flags&CODEC_FLAG_EMU_EDGE) >+ memset(buf->base[i], 128, size[i]); >+ >+ // no edge if EDEG EMU or not planar YUV, we check for PAL8 redundantly to protect against a exploitable bug regression ... >+ if((s->flags&CODEC_FLAG_EMU_EDGE) || (s->pix_fmt == PIX_FMT_PAL8) || !size[2]) > buf->data[i] = buf->base[i]; > else > buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 115760
:
74873
| 74874