From 2bd90c13a04fddddc4379688eab6b6132aabe933 Mon Sep 17 00:00:00 2001 From: James Berry Date: Wed, 22 Jun 2011 12:41:17 -0400 Subject: [PATCH] get/set reference buffer dimension check added vp8_yv12_copy_frame_ptr() expects same size buffers which was not previously gaurenteed. Using an improperly allocated buffer would cause a crash before. Change-Id: I904982313ce9352474f80de842013dcd89f48685 --- vp8/common/onyxd.h | 5 +++-- vp8/decoder/onyxd_if.c | 59 +++++++++++++++++++++++++++++++++++--------------- vp8/vp8_dx_iface.c | 6 ++--- 3 files changed, 46 insertions(+), 24 deletions(-) diff --git a/vp8/common/onyxd.h b/vp8/common/onyxd.h index 140dc57..cf16a26 100644 --- a/vp8/common/onyxd.h +++ b/vp8/common/onyxd.h @@ -22,6 +22,7 @@ extern "C" #include "vpx_scale/yv12config.h" #include "ppflags.h" #include "vpx_ports/mem.h" +#include "vpx/vpx_codec.h" typedef void *VP8D_PTR; typedef struct @@ -54,8 +55,8 @@ extern "C" int vp8dx_receive_compressed_data(VP8D_PTR comp, unsigned long size, const unsigned char *dest, INT64 time_stamp); int vp8dx_get_raw_frame(VP8D_PTR comp, YV12_BUFFER_CONFIG *sd, INT64 *time_stamp, INT64 *time_end_stamp, vp8_ppflags_t *flags); - int vp8dx_get_reference(VP8D_PTR comp, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_CONFIG *sd); - int vp8dx_set_reference(VP8D_PTR comp, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_CONFIG *sd); + vpx_codec_err_t vp8dx_get_reference(VP8D_PTR comp, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_CONFIG *sd); + vpx_codec_err_t vp8dx_set_reference(VP8D_PTR comp, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_CONFIG *sd); VP8D_PTR vp8dx_create_decompressor(VP8D_CONFIG *oxcf); diff --git a/vp8/decoder/onyxd_if.c b/vp8/decoder/onyxd_if.c index 4845cd0..9de5ce2 100644 --- a/vp8/decoder/onyxd_if.c +++ b/vp8/decoder/onyxd_if.c @@ -134,7 +134,7 @@ void vp8dx_remove_decompressor(VP8D_PTR ptr) } -int vp8dx_get_reference(VP8D_PTR ptr, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_CONFIG *sd) +vpx_codec_err_t vp8dx_get_reference(VP8D_PTR ptr, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_CONFIG *sd) { VP8D_COMP *pbi = (VP8D_COMP *) ptr; VP8_COMMON *cm = &pbi->common; @@ -146,16 +146,27 @@ int vp8dx_get_reference(VP8D_PTR ptr, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_C ref_fb_idx = cm->gld_fb_idx; else if (ref_frame_flag == VP8_ALT_FLAG) ref_fb_idx = cm->alt_fb_idx; - else - return -1; + else{ + vpx_internal_error(&pbi->common.error, VPX_CODEC_ERROR, + "Invalid reference frame"); + return pbi->common.error.error_code; + } - vp8_yv12_copy_frame_ptr(&cm->yv12_fb[ref_fb_idx], sd); + if(cm->yv12_fb[ref_fb_idx].y_height != sd->y_height || + cm->yv12_fb[ref_fb_idx].y_width != sd->y_width || + cm->yv12_fb[ref_fb_idx].uv_height != sd->uv_height || + cm->yv12_fb[ref_fb_idx].uv_width != sd->uv_width){ + vpx_internal_error(&pbi->common.error, VPX_CODEC_ERROR, + "Incorrect buffer dimensions"); + } + else + vp8_yv12_copy_frame_ptr(&cm->yv12_fb[ref_fb_idx], sd); - return 0; + return pbi->common.error.error_code; } -int vp8dx_set_reference(VP8D_PTR ptr, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_CONFIG *sd) +vpx_codec_err_t vp8dx_set_reference(VP8D_PTR ptr, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_CONFIG *sd) { VP8D_COMP *pbi = (VP8D_COMP *) ptr; VP8_COMMON *cm = &pbi->common; @@ -168,20 +179,32 @@ int vp8dx_set_reference(VP8D_PTR ptr, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_C ref_fb_ptr = &cm->gld_fb_idx; else if (ref_frame_flag == VP8_ALT_FLAG) ref_fb_ptr = &cm->alt_fb_idx; - else - return -1; - - /* Find an empty frame buffer. */ - free_fb = get_free_fb(cm); - /* Decrease fb_idx_ref_cnt since it will be increased again in - * ref_cnt_fb() below. */ - cm->fb_idx_ref_cnt[free_fb]--; + else{ + vpx_internal_error(&pbi->common.error, VPX_CODEC_ERROR, + "Invalid reference frame"); + return pbi->common.error.error_code; + } - /* Manage the reference counters and copy image. */ - ref_cnt_fb (cm->fb_idx_ref_cnt, ref_fb_ptr, free_fb); - vp8_yv12_copy_frame_ptr(sd, &cm->yv12_fb[*ref_fb_ptr]); + if(cm->yv12_fb[*ref_fb_ptr].y_height != sd->y_height || + cm->yv12_fb[*ref_fb_ptr].y_width != sd->y_width || + cm->yv12_fb[*ref_fb_ptr].uv_height != sd->uv_height || + cm->yv12_fb[*ref_fb_ptr].uv_width != sd->uv_width){ + vpx_internal_error(&pbi->common.error, VPX_CODEC_ERROR, + "Incorrect buffer dimensions"); + } + else{ + /* Find an empty frame buffer. */ + free_fb = get_free_fb(cm); + /* Decrease fb_idx_ref_cnt since it will be increased again in + * ref_cnt_fb() below. */ + cm->fb_idx_ref_cnt[free_fb]--; + + /* Manage the reference counters and copy image. */ + ref_cnt_fb (cm->fb_idx_ref_cnt, ref_fb_ptr, free_fb); + vp8_yv12_copy_frame_ptr(sd, &cm->yv12_fb[*ref_fb_ptr]); + } - return 0; + return pbi->common.error.error_code; } /*For ARM NEON, d8-d15 are callee-saved registers, and need to be saved by us.*/ diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c index e0f4c0a..d74dc87 100644 --- a/vp8/vp8_dx_iface.c +++ b/vp8/vp8_dx_iface.c @@ -588,8 +588,7 @@ static vpx_codec_err_t vp8_set_reference(vpx_codec_alg_priv_t *ctx, image2yuvconfig(&frame->img, &sd); - vp8dx_set_reference(ctx->pbi, frame->frame_type, &sd); - return VPX_CODEC_OK; + return vp8dx_set_reference(ctx->pbi, frame->frame_type, &sd); } else return VPX_CODEC_INVALID_PARAM; @@ -610,8 +609,7 @@ static vpx_codec_err_t vp8_get_reference(vpx_codec_alg_priv_t *ctx, image2yuvconfig(&frame->img, &sd); - vp8dx_get_reference(ctx->pbi, frame->frame_type, &sd); - return VPX_CODEC_OK; + return vp8dx_get_reference(ctx->pbi, frame->frame_type, &sd); } else return VPX_CODEC_INVALID_PARAM; -- 2.7.4