From 377c80668589e77c4bffafc4f7568cfaf61ec264 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.net>
Date: Wed, 7 Nov 2012 11:17:14 +0000
Subject: [PATCH] video: don't crash when blending onto video formats that
 unpack to 64 bits per pixel

We only allocate 8 bits per component for our temp buffers, which
causes invalid memory accesses if we try to unpack formats that
unpack into a format with 16 bits per component such as e.g. v210.

We don't support blending onto those yet, so just bail out.
---
 gst-libs/gst/video/video-blend.c | 34 +++++++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/gst-libs/gst/video/video-blend.c b/gst-libs/gst/video/video-blend.c
index 636d1d3..835b7bb 100644
--- a/gst-libs/gst/video/video-blend.c
+++ b/gst-libs/gst/video/video-blend.c
@@ -251,7 +251,7 @@ gst_video_blend (GstVideoFrame * dest,
   guint8 *tmpdestline = NULL, *tmpsrcline = NULL;
   gboolean src_premultiplied_alpha, dest_premultiplied_alpha;
   void (*matrix) (guint8 * tmpline, guint width);
-  const GstVideoFormatInfo *sinfo, *dinfo;
+  const GstVideoFormatInfo *sinfo, *dinfo, *dunpackinfo, *sunpackinfo;
 
   g_assert (dest != NULL);
   g_assert (src != NULL);
@@ -273,9 +273,6 @@ gst_video_blend (GstVideoFrame * dest,
   dest_width = GST_VIDEO_FRAME_WIDTH (dest);
   dest_height = GST_VIDEO_FRAME_HEIGHT (dest);
 
-  tmpdestline = g_malloc (sizeof (guint8) * (dest_width + 8) * 4);
-  tmpsrcline = g_malloc (sizeof (guint8) * (dest_width + 8) * 4);
-
   ensure_debug_category ();
 
   dinfo = gst_video_format_get_info (GST_VIDEO_FRAME_FORMAT (dest));
@@ -284,6 +281,20 @@ gst_video_blend (GstVideoFrame * dest,
   if (!sinfo || !dinfo)
     goto failed;
 
+  dunpackinfo = gst_video_format_get_info (dinfo->unpack_format);
+  sunpackinfo = gst_video_format_get_info (sinfo->unpack_format);
+
+  if (dunpackinfo == NULL || sunpackinfo == NULL)
+    goto failed;
+
+  g_assert (GST_VIDEO_FORMAT_INFO_BITS (sunpackinfo) == 8);
+
+  if (GST_VIDEO_FORMAT_INFO_BITS (dunpackinfo) != 8)
+    goto unpack_format_not_supported;
+
+  tmpdestline = g_malloc (sizeof (guint8) * (dest_width + 8) * 4);
+  tmpsrcline = g_malloc (sizeof (guint8) * (dest_width + 8) * 4);
+
   matrix = matrix_identity;
   if (GST_VIDEO_INFO_IS_RGB (&src->info) != GST_VIDEO_INFO_IS_RGB (&dest->info)) {
     if (GST_VIDEO_INFO_IS_RGB (&src->info)) {
@@ -390,9 +401,14 @@ gst_video_blend (GstVideoFrame * dest,
   return TRUE;
 
 failed:
-  GST_WARNING ("Could not do the blending");
-  g_free (tmpdestline);
-  g_free (tmpsrcline);
-
-  return FALSE;
+  {
+    GST_WARNING ("Could not do the blending");
+    return FALSE;
+  }
+unpack_format_not_supported:
+  {
+    GST_FIXME ("video format %s not supported yet for blending",
+        gst_video_format_to_string (dinfo->unpack_format));
+    return FALSE;
+  }
 }
-- 
2.7.4