gecko-dev/media/liboggplay/bug493140.patch

53 lines
2.3 KiB
Diff

diff --git a/media/liboggplay/src/liboggplay/oggplay_callback.c b/media/liboggplay/src/liboggplay/oggplay_callback.c
index 593691f..7683b80 100644
--- a/media/liboggplay/src/liboggplay/oggplay_callback.c
+++ b/media/liboggplay/src/liboggplay/oggplay_callback.c
@@ -107,6 +107,11 @@ oggplay_callback_theora (OGGZ * oggz, ogg_packet * op, long serialno,
decoder->uv_width = decoder->uv_stride = decoder->video_info.frame_width / 2;
decoder->uv_height = decoder->video_info.frame_height / 2;
if (--(decoder->remaining_header_packets) == 0) {
+ /* Ensure the offsets do not push the viewable area outside of the decoded frame. */
+ if (((decoder->video_info.height - decoder->video_info.offset_y)<decoder->video_info.frame_height)||
+ ((decoder->video_info.width - decoder->video_info.offset_x)<decoder->video_info.frame_width))
+ return -1;
+
theora_decode_init(&(decoder->video_handle), &(decoder->video_info));
}
return 0;
diff --git a/media/liboggplay/src/liboggplay/oggplay_data.c b/media/liboggplay/src/liboggplay/oggplay_data.c
index 57a9458..c519d59 100644
--- a/media/liboggplay/src/liboggplay/oggplay_data.c
+++ b/media/liboggplay/src/liboggplay/oggplay_data.c
@@ -323,6 +323,7 @@ oggplay_data_handle_theora_frame (OggPlayTheoraDecode *decode,
int size = sizeof (OggPlayVideoRecord);
int i;
+ int uv_offset;
unsigned char * p;
unsigned char * q;
unsigned char * p2;
@@ -359,17 +360,20 @@ oggplay_data_handle_theora_frame (OggPlayTheoraDecode *decode,
* a row-by-row copy (stride may be negative)
*/
p = data->y;
- q = buffer->y;
+ q = buffer->y + (decode->video_info.offset_x&~1)+buffer->y_stride*(decode->video_info.offset_y&~1);
for (i = 0; i < decode->y_height; i++) {
memcpy(p, q, decode->y_width);
p += decode->y_width;
q += buffer->y_stride;
}
+ uv_offset = (decode->video_info.offset_x/(decode->y_width/decode->uv_width)) +
+ (buffer->uv_stride) *(decode->video_info.offset_y/(decode->y_height/decode->uv_height));
+
p = data->u;
- q = buffer->u;
+ q = buffer->u + uv_offset;
p2 = data->v;
- q2 = buffer->v;
+ q2 = buffer->v + uv_offset;
for (i = 0; i < decode->uv_height; i++) {
memcpy(p, q, decode->uv_width);
memcpy(p2, q2, decode->uv_width);