[FFmpeg-cvslog] videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations.

[Ronald S. Bultje]

ffmpeg | branch: release/2.8 | Ronald S. Bultje  | Sat Jan 
16 14:44:28 2016 -0500| [62b2b2195b7eac8570ef31b8306916a1a53a537b] | committer: 
Michael Niedermayer

videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations.

This can overread (either before start or beyond end) of the buffer in
Nx1 (i.e. height=1) images.

Fixes mozilla bug 1240080.

(cherry picked from commit 0f88b3f82fafd536979993aeaafcb11a22266dbd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=62b2b2195b7eac8570ef31b8306916a1a53a537b
---

 libavcodec/x86/videodsp.asm | 21 ++---
 1 file changed, 6 insertions(+), 15 deletions(-)

diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm
index 48f5ac0..a807d3b 100644
--- a/libavcodec/x86/videodsp.asm
+++ b/libavcodec/x86/videodsp.asm
@@ -193,14 +193,10 @@ hvar_fn
 movvalb, [srcq+%2-1]
 %elif (%2-%%off) == 2
 movvalw, [srcq+%2-2]
-%elifidn %1, body
+%else
 movvalb, [srcq+%2-1]
-salvald, 16
+rorvald, 16
 movvalw, [srcq+%2-3]
-%elifidn %1, bottom
-movd mm %+ %%mmx_idx, [srcq+%2-4]
-%else ; top
-movd mm %+ %%mmx_idx, [srcq+%2-3]
 %endif
 %endif ; (%2-%%off) >= 1
 %endmacro ; READ_NUM_BYTES
@@ -253,18 +249,13 @@ hvar_fn
 mov [dstq+%2-1], valb
 %elif (%2-%%off) == 2
 mov [dstq+%2-2], valw
-%elifidn %1, body
-mov [dstq+%2-3], valw
-sarvald, 16
-mov [dstq+%2-1], valb
 %else
-movd   vald, mm %+ %%mmx_idx
-%ifidn %1, bottom
-sarvald, 8
-%endif
 mov [dstq+%2-3], valw
-sarvald, 16
+rorvald, 16
 mov [dstq+%2-1], valb
+%ifnidn %1, body
+rorvald, 16
+%endif
 %endif
 %endif ; (%2-%%off) >= 1
 %endmacro ; WRITE_NUM_BYTES

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations.

[Ronald S. Bultje]

ffmpeg | branch: master | Ronald S. Bultje  | Sat Jan 16 
14:44:28 2016 -0500| [0f88b3f82fafd536979993aeaafcb11a22266dbd] | committer: 
Ronald S. Bultje

videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations.

This can overread (either before start or beyond end) of the buffer in
Nx1 (i.e. height=1) images.

Fixes mozilla bug 1240080.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f88b3f82fafd536979993aeaafcb11a22266dbd
---

 libavcodec/x86/videodsp.asm |   21 ++---
 1 file changed, 6 insertions(+), 15 deletions(-)

diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm
index 48f5ac0..a807d3b 100644
--- a/libavcodec/x86/videodsp.asm
+++ b/libavcodec/x86/videodsp.asm
@@ -193,14 +193,10 @@ hvar_fn
 movvalb, [srcq+%2-1]
 %elif (%2-%%off) == 2
 movvalw, [srcq+%2-2]
-%elifidn %1, body
+%else
 movvalb, [srcq+%2-1]
-salvald, 16
+rorvald, 16
 movvalw, [srcq+%2-3]
-%elifidn %1, bottom
-movd mm %+ %%mmx_idx, [srcq+%2-4]
-%else ; top
-movd mm %+ %%mmx_idx, [srcq+%2-3]
 %endif
 %endif ; (%2-%%off) >= 1
 %endmacro ; READ_NUM_BYTES
@@ -253,18 +249,13 @@ hvar_fn
 mov [dstq+%2-1], valb
 %elif (%2-%%off) == 2
 mov [dstq+%2-2], valw
-%elifidn %1, body
-mov [dstq+%2-3], valw
-sarvald, 16
-mov [dstq+%2-1], valb
 %else
-movd   vald, mm %+ %%mmx_idx
-%ifidn %1, bottom
-sarvald, 8
-%endif
 mov [dstq+%2-3], valw
-sarvald, 16
+rorvald, 16
 mov [dstq+%2-1], valb
+%ifnidn %1, body
+rorvald, 16
+%endif
 %endif
 %endif ; (%2-%%off) >= 1
 %endmacro ; WRITE_NUM_BYTES

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog