out of buffer access fix

Originally committed as revision 3744 to svn://svn.ffmpeg.org/ffmpeg/trunk
pull/126/head
Michael Niedermayer 20 years ago
parent 0fd6aea1f1
commit a979965313
  1. 23
      libavcodec/h264.c

@ -2401,18 +2401,23 @@ static void hl_decode_mb(H264Context *h){
if(!s->encoding){ if(!s->encoding){
for(i=0; i<16; i++){ for(i=0; i<16; i++){
uint8_t * const ptr= dest_y + h->block_offset[i]; uint8_t * const ptr= dest_y + h->block_offset[i];
uint8_t *topright= ptr + 4 - linesize; uint8_t *topright;
const int topright_avail= (h->topright_samples_available<<i)&0x8000;
const int dir= h->intra4x4_pred_mode_cache[ scan8[i] ]; const int dir= h->intra4x4_pred_mode_cache[ scan8[i] ];
int tr; int tr;
if(!topright_avail){ if(dir == DIAG_DOWN_LEFT_PRED || dir == VERT_LEFT_PRED){
tr= ptr[3 - linesize]*0x01010101; const int topright_avail= (h->topright_samples_available<<i)&0x8000;
topright= (uint8_t*) &tr; assert(mb_y || linesize <= h->block_offset[i]);
}else if(i==5 && h->deblocking_filter){ if(!topright_avail){
tr= *(uint32_t*)h->top_border[mb_x+1]; tr= ptr[3 - linesize]*0x01010101;
topright= (uint8_t*) &tr; topright= (uint8_t*) &tr;
} }else if(i==5 && h->deblocking_filter){
tr= *(uint32_t*)h->top_border[mb_x+1];
topright= (uint8_t*) &tr;
}else
topright= ptr + 4 - linesize;
}else
topright= NULL;
h->pred4x4[ dir ](ptr, topright, linesize); h->pred4x4[ dir ](ptr, topright, linesize);
if(h->non_zero_count_cache[ scan8[i] ]){ if(h->non_zero_count_cache[ scan8[i] ]){

Loading…
Cancel
Save