Skip to content

Commit

Permalink
xvba: decoder, check size of bitstream buffer, fix potential buffer o…
Browse files Browse the repository at this point in the history 
…verwrite
  • Loading branch information
@FernetMenta
FernetMenta committed Mar 6, 2012
1 parent c3aff56 commit 23423a8
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 3 deletions.
19 changes: 16 additions & 3 deletions xbmc/cores/dvdplayer/DVDCodecs/Video/XVBA.cpp
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -520,7 +520,7 @@ int CDecoder::Check(AVCodecContext* avctx)
state = m_displayState; state = m_displayState;
} }
} }
if (state == XVBA_RESET) if (state == XVBA_RESET || state == XVBA_ERROR)
{ {
CLog::Log(LOGNOTICE,"XVBA::Check - Attempting recovery"); CLog::Log(LOGNOTICE,"XVBA::Check - Attempting recovery");


Expand All @@ -531,7 +531,10 @@ int CDecoder::Check(AVCodecContext* avctx)
ResetState(); ResetState();
CXVBAContext::EnsureContext(&m_context); CXVBAContext::EnsureContext(&m_context);


return VC_FLUSHED; if (state == XVBA_RESET)
return VC_FLUSHED;
else
return VC_ERROR;
} }
return 0; return 0;
} }
Expand All @@ -540,7 +543,7 @@ void CDecoder::SetError(const char* function, const char* msg, int line)
{ {
CLog::Log(LOGERROR, "XVBA::%s - %s, line %d", function, msg, line); CLog::Log(LOGERROR, "XVBA::%s - %s, line %d", function, msg, line);
CExclusiveLock lock(m_displaySection); CExclusiveLock lock(m_displaySection);
m_displayState = XVBA_LOST; m_displayState = XVBA_ERROR;
} }


bool CDecoder::CreateSession(AVCodecContext* avctx) bool CDecoder::CreateSession(AVCodecContext* avctx)
Expand Down Expand Up @@ -825,6 +828,15 @@ void CDecoder::FFDrawSlice(struct AVCodecContext *avctx,
memcpy((uint8_t*)xvba->m_xvbaBufferPool.data_buffer->bufferXVBA+location+3, memcpy((uint8_t*)xvba->m_xvbaBufferPool.data_buffer->bufferXVBA+location+3,
&sdf, 1); &sdf, 1);
} }
// check for potential buffer overwrite
unsigned int bytesToCopy = render->buffers[j].size;
unsigned int freeBufferSize = xvba->m_xvbaBufferPool.data_buffer->buffer_size -
xvba->m_xvbaBufferPool.data_buffer->data_size_in_buffer;
if (bytesToCopy >= freeBufferSize)
{
xvba->SetError(__FUNCTION__, "bitstream buffer too large, maybe corrupted packet", __LINE__);
return;
}
memcpy((uint8_t*)xvba->m_xvbaBufferPool.data_buffer->bufferXVBA+location+startCodeSize, memcpy((uint8_t*)xvba->m_xvbaBufferPool.data_buffer->bufferXVBA+location+startCodeSize,
render->buffers[j].buffer, render->buffers[j].buffer,
render->buffers[j].size); render->buffers[j].size);
Expand Down Expand Up @@ -955,6 +967,7 @@ int CDecoder::FFGetBuffer(AVCodecContext *avctx, AVFrame *pic)
render->picture_descriptor = (XVBAPictureDescriptor *)xvba->m_xvbaBufferPool.picture_descriptor_buffer->bufferXVBA; render->picture_descriptor = (XVBAPictureDescriptor *)xvba->m_xvbaBufferPool.picture_descriptor_buffer->bufferXVBA;
render->iq_matrix = (XVBAQuantMatrixAvc *)xvba->m_xvbaBufferPool.iq_matrix_buffer->bufferXVBA; render->iq_matrix = (XVBAQuantMatrixAvc *)xvba->m_xvbaBufferPool.iq_matrix_buffer->bufferXVBA;
xvba->m_videoSurfaces.push_back(render); xvba->m_videoSurfaces.push_back(render);
CLog::Log(LOGDEBUG, "XVBA::FFGetBuffer - created video surface");
} }


if (render == NULL) if (render == NULL)
Expand Down
1 change: 1 addition & 0 deletions xbmc/cores/dvdplayer/DVDCodecs/Video/XVBA.h
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ enum EDisplayState
{ XVBA_OPEN { XVBA_OPEN
, XVBA_RESET , XVBA_RESET
, XVBA_LOST , XVBA_LOST
, XVBA_ERROR
}; };


class CXVBAContext class CXVBAContext
Expand Down

0 comments on commit 23423a8

Please sign in to comment.