From 195b4cbd207f20c193d86cc28aaeebca596955cf Mon Sep 17 00:00:00 2001 From: Bastien Bouclet Date: Mon, 1 Apr 2019 20:41:56 +0200 Subject: VIDEO: Fix an integer overflow when dequantizing the DCT coeffs See https://github.com/FFmpeg/FFmpeg/commit/2968bedf129558024ea87a1aabc4aa2d3a5bcb6e --- video/bink_decoder.cpp | 30 +++++++++++++++--------------- video/bink_decoder.h | 8 ++++---- video/binkdata.h | 4 ++-- 3 files changed, 21 insertions(+), 21 deletions(-) (limited to 'video') diff --git a/video/bink_decoder.cpp b/video/bink_decoder.cpp index 6fca2c11c8..0f33d21f81 100644 --- a/video/bink_decoder.cpp +++ b/video/bink_decoder.cpp @@ -679,8 +679,8 @@ void BinkDecoder::BinkVideoTrack::blockScaledRun(DecodeContext &ctx) { } void BinkDecoder::BinkVideoTrack::blockScaledIntra(DecodeContext &ctx) { - int16 block[64]; - memset(block, 0, 64 * sizeof(int16)); + int32 block[64]; + memset(block, 0, 64 * sizeof(int32)); block[0] = getBundleValue(kSourceIntraDC); @@ -688,7 +688,7 @@ void BinkDecoder::BinkVideoTrack::blockScaledIntra(DecodeContext &ctx) { IDCT(block); - int16 *src = block; + int32 *src = block; byte *dest1 = ctx.dest; byte *dest2 = ctx.dest + ctx.pitch; for (int j = 0; j < 8; j++, dest1 += (ctx.pitch << 1) - 16, dest2 += (ctx.pitch << 1) - 16, src += 8) { @@ -824,8 +824,8 @@ void BinkDecoder::BinkVideoTrack::blockResidue(DecodeContext &ctx) { } void BinkDecoder::BinkVideoTrack::blockIntra(DecodeContext &ctx) { - int16 block[64]; - memset(block, 0, 64 * sizeof(int16)); + int32 block[64]; + memset(block, 0, 64 * sizeof(int32)); block[0] = getBundleValue(kSourceIntraDC); @@ -845,8 +845,8 @@ void BinkDecoder::BinkVideoTrack::blockFill(DecodeContext &ctx) { void BinkDecoder::BinkVideoTrack::blockInter(DecodeContext &ctx) { blockMotion(ctx); - int16 block[64]; - memset(block, 0, 64 * sizeof(int16)); + int32 block[64]; + memset(block, 0, 64 * sizeof(int32)); block[0] = getBundleValue(kSourceInterDC); @@ -1081,7 +1081,7 @@ void BinkDecoder::BinkVideoTrack::readDCS(VideoFrame &video, Bundle &bundle, int } /** Reads 8x8 block of DCT coefficients. */ -void BinkDecoder::BinkVideoTrack::readDCTCoeffs(VideoFrame &video, int16 *block, bool isIntra) { +void BinkDecoder::BinkVideoTrack::readDCTCoeffs(VideoFrame &video, int32 *block, bool isIntra) { int coefCount = 0; int coefIdx[64]; @@ -1169,7 +1169,7 @@ void BinkDecoder::BinkVideoTrack::readDCTCoeffs(VideoFrame &video, int16 *block, } uint8 quantIdx = video.bits->getBits(4); - const uint32 *quant = isIntra ? binkIntraQuant[quantIdx] : binkInterQuant[quantIdx]; + const int32 *quant = isIntra ? binkIntraQuant[quantIdx] : binkInterQuant[quantIdx]; block[0] = (block[0] * quant[0]) >> 11; for (int i = 0; i < coefCount; i++) { @@ -1308,7 +1308,7 @@ void BinkDecoder::BinkVideoTrack::readResidue(VideoFrame &video, int16 *block, i #define MUNGE_ROW(x) (((x) + 0x7F)>>8) #define IDCT_ROW(dest,src) IDCT_TRANSFORM(dest,0,1,2,3,4,5,6,7,0,1,2,3,4,5,6,7,MUNGE_ROW,src) -static inline void IDCTCol(int16 *dest, const int16 *src) { +static inline void IDCTCol(int32 *dest, const int32 *src) { if ((src[8] | src[16] | src[24] | src[32] | src[40] | src[48] | src[56]) == 0) { dest[ 0] = dest[ 8] = @@ -1323,9 +1323,9 @@ static inline void IDCTCol(int16 *dest, const int16 *src) { } } -void BinkDecoder::BinkVideoTrack::IDCT(int16 *block) { +void BinkDecoder::BinkVideoTrack::IDCT(int32 *block) { int i; - int16 temp[64]; + int32 temp[64]; for (i = 0; i < 8; i++) IDCTCol(&temp[i], &block[i]); @@ -1334,7 +1334,7 @@ void BinkDecoder::BinkVideoTrack::IDCT(int16 *block) { } } -void BinkDecoder::BinkVideoTrack::IDCTAdd(DecodeContext &ctx, int16 *block) { +void BinkDecoder::BinkVideoTrack::IDCTAdd(DecodeContext &ctx, int32 *block) { int i, j; IDCT(block); @@ -1344,9 +1344,9 @@ void BinkDecoder::BinkVideoTrack::IDCTAdd(DecodeContext &ctx, int16 *block) { dest[j] += block[j]; } -void BinkDecoder::BinkVideoTrack::IDCTPut(DecodeContext &ctx, int16 *block) { +void BinkDecoder::BinkVideoTrack::IDCTPut(DecodeContext &ctx, int32 *block) { int i; - int16 temp[64]; + int32 temp[64]; for (i = 0; i < 8; i++) IDCTCol(&temp[i], &block[i]); for (i = 0; i < 8; i++) { diff --git a/video/bink_decoder.h b/video/bink_decoder.h index 68dd994115..29d16020b1 100644 --- a/video/bink_decoder.h +++ b/video/bink_decoder.h @@ -314,13 +314,13 @@ private: void readPatterns (VideoFrame &video, Bundle &bundle); void readColors (VideoFrame &video, Bundle &bundle); void readDCS (VideoFrame &video, Bundle &bundle, int startBits, bool hasSign); - void readDCTCoeffs (VideoFrame &video, int16 *block, bool isIntra); + void readDCTCoeffs (VideoFrame &video, int32 *block, bool isIntra); void readResidue (VideoFrame &video, int16 *block, int masksCount); // Bink video IDCT - void IDCT(int16 *block); - void IDCTPut(DecodeContext &ctx, int16 *block); - void IDCTAdd(DecodeContext &ctx, int16 *block); + void IDCT(int32 *block); + void IDCTPut(DecodeContext &ctx, int32 *block); + void IDCTAdd(DecodeContext &ctx, int32 *block); }; class BinkAudioTrack : public AudioTrack { diff --git a/video/binkdata.h b/video/binkdata.h index dc72f7eacd..fd72d53f5c 100644 --- a/video/binkdata.h +++ b/video/binkdata.h @@ -247,7 +247,7 @@ static const uint8 binkPatterns[16][64] = { } }; -static const uint32 binkIntraQuant[16][64] = { +static const int32 binkIntraQuant[16][64] = { { 0x010000, 0x016315, 0x01E83D, 0x02A535, 0x014E7B, 0x016577, 0x02F1E6, 0x02724C, 0x010000, 0x00EEDA, 0x024102, 0x017F9B, 0x00BE80, 0x00611E, 0x01083C, 0x00A552, @@ -410,7 +410,7 @@ static const uint32 binkIntraQuant[16][64] = { }, }; -static const uint32 binkInterQuant[16][64] = { +static const int32 binkInterQuant[16][64] = { { 0x010000, 0x017946, 0x01A5A9, 0x0248DC, 0x016363, 0x0152A7, 0x0243EC, 0x0209EA, 0x012000, 0x00E248, 0x01BBDA, 0x015CBC, 0x00A486, 0x0053E0, 0x00F036, 0x008095, -- cgit v1.2.3