]> granicus.if.org Git - handbrake/commitdiff
fix heap corruption after avpicture_deinterlace
authorjstebbins <jstebbins.hb@gmail.com>
Tue, 12 Oct 2010 16:44:04 +0000 (16:44 +0000)
committerjstebbins <jstebbins.hb@gmail.com>
Tue, 12 Oct 2010 16:44:04 +0000 (16:44 +0000)
I don't know when this started happening (or if it has always been a problem).
If the deinterlace buffer is not a multiple of 8, avpicture_deinterlace
corrupts the heap.

git-svn-id: svn://svn.handbrake.fr/HandBrake/trunk@3598 b64f7644-9d1e-0410-96f1-a4d463321fa5

libhb/hb.c

index f7489c162e97d81957bf2ca9e0da0e26235f2c52..e26c8e659e688548ed715a3427160c1eb55fe6b4 100644 (file)
@@ -616,19 +616,20 @@ void hb_get_preview( hb_handle_t * h, hb_title_t * title, int picture,
     AVPicture            pic_in, pic_preview, pic_deint, pic_crop, pic_scale;
     struct SwsContext  * context;
     int                  i;
+    int                  deint_width = ((title->width + 7) >> 3) << 3;
     int                  rgb_width = ((job->width + 7) >> 3) << 3;
     int                  preview_size;
 
     swsflags = SWS_LANCZOS | SWS_ACCURATE_RND;
 
     buf1 = av_malloc( avpicture_get_size( PIX_FMT_YUV420P, title->width, title->height ) );
-    buf2 = av_malloc( avpicture_get_size( PIX_FMT_YUV420P, title->width, title->height ) );
+    buf2 = av_malloc( avpicture_get_size( PIX_FMT_YUV420P, deint_width, title->height ) );
     buf3 = av_malloc( avpicture_get_size( PIX_FMT_YUV420P, rgb_width, job->height ) );
     buf4 = av_malloc( avpicture_get_size( PIX_FMT_RGB32, rgb_width, job->height ) );
     avpicture_fill( &pic_in, buf1, PIX_FMT_YUV420P,
                     title->width, title->height );
     avpicture_fill( &pic_deint, buf2, PIX_FMT_YUV420P,
-                    title->width, title->height );
+                    deint_width, title->height );
     avpicture_fill( &pic_scale, buf3, PIX_FMT_YUV420P,
                     rgb_width, job->height );
     avpicture_fill( &pic_preview, buf4, PIX_FMT_RGB32,