Fixed bug #4841 - Out of bounds read (by 1 byte) in yuvnv12_rgb24_sseu

This commit is contained in:
Sylvain 2021-10-17 22:02:19 +02:00
parent ea97ab6164
commit 50f969c1b2
No known key found for this signature in database
GPG Key ID: 5F87E02E5BC0939E
1 changed files with 15 additions and 1 deletions

View File

@ -415,6 +415,17 @@ void SSE_FUNCTION_NAME(uint32_t width, uint32_t height,
#error Unknown RGB pixel size
#endif
#if YUV_FORMAT == YUV_FORMAT_NV12
/* For NV12 formats (where U/V are interleaved)
* SSE READ_UV does an invalid read access at the very last pixel.
* As a workaround. Make sure not to decode the last column using assembly but with STD fallback path.
* see https://github.com/libsdl-org/SDL/issues/4841
*/
const int fix_read_nv12 = ((width & 31) == 0);
#else
const int fix_read_nv12 = 0;
#endif
if (width >= 32) {
uint32_t xpos, ypos;
for(ypos=0; ypos<(height-(uv_y_sample_interval-1)); ypos+=uv_y_sample_interval)
@ -427,7 +438,7 @@ void SSE_FUNCTION_NAME(uint32_t width, uint32_t height,
uint8_t *rgb_ptr1=RGB+ypos*RGB_stride,
*rgb_ptr2=RGB+(ypos+1)*RGB_stride;
for(xpos=0; xpos<(width-31); xpos+=32)
for(xpos=0; xpos<(width-31) - fix_read_nv12; xpos+=32)
{
YUV2RGB_32
{
@ -464,6 +475,9 @@ void SSE_FUNCTION_NAME(uint32_t width, uint32_t height,
/* Catch the right column, if needed */
{
int converted = (width & ~31);
if (fix_read_nv12) {
converted -= 32;
}
if (converted != width)
{
const uint8_t *y_ptr=Y+converted*y_pixel_stride,