diff options
| author | jstebbins <[email protected]> | 2012-09-12 15:54:00 +0000 |
|---|---|---|
| committer | jstebbins <[email protected]> | 2012-09-12 15:54:00 +0000 |
| commit | 001b8708d3b15564c7096a21be769b9328bc2cb8 (patch) | |
| tree | d77148f3096a479999af72cd05b3c9cd6d300652 /libhb | |
| parent | 6af5392e79799d76135e4b006c5ea817d5af01df (diff) | |
libhb: fix potential invalid memory access in decomb (again)
I missed a spot where an even wider left/right margin is
needed.
git-svn-id: svn://svn.handbrake.fr/HandBrake/trunk@4961 b64f7644-9d1e-0410-96f1-a4d463321fa5
Diffstat (limited to 'libhb')
| -rw-r--r-- | libhb/decomb.c | 21 | ||||
| -rw-r--r-- | libhb/fifo.c | 2 |
2 files changed, 17 insertions, 6 deletions
diff --git a/libhb/decomb.c b/libhb/decomb.c index 4f969194d..e931db020 100644 --- a/libhb/decomb.c +++ b/libhb/decomb.c @@ -1658,15 +1658,24 @@ static void yadif_filter_line( spatial_pred = (c+e)>>1; } - // YADIF_CHECK touches pixels -3 and +3 around the current x pos - // when MODE_CUBIC is enabled - if( x >= 3 && x <= width - 4 ) + // YADIF_CHECK requires a margin to avoid invalid memory access. + // In MODE_CUBIC, margin needed is 2 + ABS(param). + // Else, the margin needed is 1 + ABS(param). + int margin = 2; + if (pv->mode & MODE_CUBIC) + margin = 3; + + if (x >= margin && x <= width - (margin + 1)) { - YADIF_CHECK(-1) YADIF_CHECK(-2) }} }} + YADIF_CHECK(-1) + if (x >= margin + 1 && x <= width - (margin + 2)) + YADIF_CHECK(-2) }} }} } - if( x >= 3 && x <= width - 4 ) + if (x >= margin && x <= width - (margin + 1)) { - YADIF_CHECK(1) YADIF_CHECK(2) }} }} + YADIF_CHECK(1) + if (x >= margin + 1 && x <= width - (margin + 2)) + YADIF_CHECK(2) }} }} } } diff --git a/libhb/fifo.c b/libhb/fifo.c index 1f0d2ef97..8fcde27b6 100644 --- a/libhb/fifo.c +++ b/libhb/fifo.c @@ -334,6 +334,7 @@ hb_buffer_t * hb_buffer_init( int size ) hb_lock(buffers.lock); buffers.allocated += b->alloc; hb_unlock(buffers.lock); + memset(b->data, 0, b->alloc); } return b; } @@ -346,6 +347,7 @@ void hb_buffer_realloc( hb_buffer_t * b, int size ) size = size_to_pool( size )->buffer_size; b->data = realloc( b->data, size ); b->alloc = size; + memset(b->data, 0, b->alloc); hb_lock(buffers.lock); buffers.allocated += size - orig; |