[vlc-devel] [patch] i420_rgb: buffer overflow
jnqnfe at gmail.com
jnqnfe at gmail.com
Tue Jan 22 22:11:11 CET 2019
On Tue, 2019-01-22 at 21:05 +0100, Francois Cartegnie wrote:
> Le 22/01/2019 à 18:44, jnqnfe at gmail.com a écrit :
> > xmm5 = _mm_or_si128(xmm5, xmm7); \
> > - _mm_storeu_si128((__m128i*)(p_buffer+16), xmm5);
> > + _mm_storeu_si128((__m128i*)(p_buffer+8), xmm5);
>
> To me matches the Assembly one Line 204
>
> # convert rgb24 plane to rgb15 pack for pixel 8-15
> \n\
> punpckhbw %%xmm4, %%xmm7 # ________ ________ g7g6g5g4 g3______
> \n\
> punpckhbw %%xmm1, %%xmm5 # r7r6r5r4 r3______ ______b7 b6b5b4b3
> \n\
> psllw $2,%%xmm7 # ________ ____g7g6 g5g4g3__ ________
> \n\
> por %%xmm7, %%xmm5 # r7r6r5r4 r3__g7g6 g5g4g3b7 b6b5b4b3
> \n\
> movdqu %%xmm5, 16(%3) # store pixel 4-7
> \n\
> "
>
> and the caller also increases buffer by 16
>
the assembly is doing +16 bytes, the function based implementation for
RGB15/16 is working with a word-pointer, thus needs to do +8 words.
doing +16 in this one instance results in +16 words thus writing twice
as far out as it should.
note that for the 32-bit formats the function based ones are working on
a dword-pointer, so the assembly uses +16, while the functions use +4
More information about the vlc-devel
mailing list