Fixed potential overread in the rawvideo decoder.

The plane size of the pictures given to a decoder can be a bit larger than necessary. It can happens when the video size is incompatible with the colorspace. It closes #5770.

Fixed potential overread in the rawvideo decoder.
The plane size of the pictures given to a decoder can be a bit larger than necessary. It can happens when the video size is incompatible with the colorspace. It closes #5770.
4a26ac7f · Laurent Aimar · 2a1e9a20 · 4a26ac7f
Commit 4a26ac7f authored Jan 06, 2012 by Laurent Aimar
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

modules/codec/rawvideo.c modules/codec/rawvideo.c +6 -2

No files found.
--- a/modules/codec/rawvideo.c
+++ b/modules/codec/rawvideo.c
@@ -45,6 +45,7 @@ struct decoder_sys_t
     */
    size_t i_raw_size;
    bool b_invert;
+    plane_t planes[PICTURE_PLANE_MAX];

    /*
     * Common properties
@@ -171,8 +172,11 @@ static int OpenDecoder( vlc_object_t *p_this )
                   p_dec->fmt_in.video.i_height, 0, 1 );
    p_sys->i_raw_size = 0;
    for( int i = 0; i < picture.i_planes; i++ )
+    {
        p_sys->i_raw_size += picture.p[i].i_visible_pitch *
                             picture.p[i].i_visible_lines;
+        p_sys->planes[i] = picture.p[i];
+    }

    if( !p_dec->fmt_in.video.i_sar_num || !p_dec->fmt_in.video.i_sar_den )
    {
@@ -275,8 +279,8 @@ static void FillPicture( decoder_t *p_dec, block_t *p_block, picture_t *p_pic )
    for( i_plane = 0; i_plane < p_pic->i_planes; i_plane++ )
    {
        int i_pitch = p_pic->p[i_plane].i_pitch;
-        int i_visible_pitch = p_pic->p[i_plane].i_visible_pitch;
-        int i_visible_lines = p_pic->p[i_plane].i_visible_lines;
+        int i_visible_pitch = p_sys->planes[i_plane].i_visible_pitch;
+        int i_visible_lines = p_sys->planes[i_plane].i_visible_lines;
        uint8_t *p_dst = p_pic->p[i_plane].p_pixels;
        uint8_t *p_dst_end = p_dst+i_pitch*i_visible_lines;