[FFmpeg-cvslog] avcodec/mpegvideo: Fix crash when using lowres with 10bit MPEG-4

Andreas Rheinhardt git at videolan.org
Sat Jan 29 21:02:56 EET 2022


ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Tue Jan 25 23:07:25 2022 +0100| [d4d87f2ac56e13aaad68f2dd2efc69a977e6a3bc] | committer: Andreas Rheinhardt

avcodec/mpegvideo: Fix crash when using lowres with 10bit MPEG-4

In this case the macroblocks written to are smaller, yet
the MPEG-4 Simple Studio Profile code for 10bit DPCM ignored this;
e.g. in case of lowres = 2 or = 3, the sample mpeg4_sstp_dpcm.m4v
from the FATE-suite reads beyond the end of the buffer.

This commit fixes this by taking lowres into account.
The DPCM macroblocks of the aforementioned sample look
as good as can be expected after this patch; yet the non-DPCM
coded macroblocks are simply corrupt.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d4d87f2ac56e13aaad68f2dd2efc69a977e6a3bc
---

 libavcodec/mpegvideo.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index 47603c2991..40494fe115 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -1629,13 +1629,17 @@ void mpv_reconstruct_mb_internal(MpegEncContext *s, int16_t block[12][64],
                     uint16_t *dest_pcm[3] = {(uint16_t*)dest_y, (uint16_t*)dest_cb, (uint16_t*)dest_cr};
                     int linesize[3] = {dct_linesize, uvlinesize, uvlinesize};
                     for(i = 0; i < 3; i++) {
+                        const int16_t *src = (*s->dpcm_macroblock)[i];
                         int idx = 0;
                         int vsub = i ? s->chroma_y_shift : 0;
                         int hsub = i ? s->chroma_x_shift : 0;
-                        for(h = 0; h < (16 >> vsub); h++){
-                            for(w = 0; w < (16 >> hsub); w++)
-                                dest_pcm[i][w] = (*s->dpcm_macroblock)[i][idx++];
+                        int lowres = lowres_flag ? s->avctx->lowres : 0;
+                        int step = 1 << lowres;
+                        for (h = 0; h < (16 >> (vsub + lowres)); h++){
+                            for (w = 0, idx = 0; w < (16 >> (hsub + lowres)); w++, idx += step)
+                                dest_pcm[i][w] = src[idx];
                             dest_pcm[i] += linesize[i] / 2;
+                            src         += (16 >> hsub) * step;
                         }
                     }
                 } else {
@@ -1644,13 +1648,17 @@ void mpv_reconstruct_mb_internal(MpegEncContext *s, int16_t block[12][64],
                     int linesize[3] = {dct_linesize, uvlinesize, uvlinesize};
                     av_assert2(s->dpcm_direction == -1);
                     for(i = 0; i < 3; i++) {
+                        const int16_t *src = (*s->dpcm_macroblock)[i];
                         int idx = 0;
                         int vsub = i ? s->chroma_y_shift : 0;
                         int hsub = i ? s->chroma_x_shift : 0;
+                        int lowres = lowres_flag ? s->avctx->lowres : 0;
+                        int step = 1 << lowres;
                         dest_pcm[i] += (linesize[i] / 2) * ((16 >> vsub) - 1);
-                        for (h = (16 >> vsub) - 1; h >= 0; h--) {
-                            for (w = (16 >> hsub) - 1; w >= 0; w--)
-                                dest_pcm[i][w] = (*s->dpcm_macroblock)[i][idx++];
+                        for (h = (16 >> (vsub + lowres)) - 1; h >= 0; h--){
+                            for (w = (16 >> (hsub + lowres)) - 1, idx = 0; w >= 0; w--, idx += step)
+                                dest_pcm[i][w] = src[idx];
+                            src += step * (16 >> hsub);
                             dest_pcm[i] -= linesize[i] / 2;
                         }
                     }



More information about the ffmpeg-cvslog mailing list