Fix crashes when there are sized wider frames in the stream, and we are
linked with libjpeg.
Related : rhbz#813826
Resolves: rhbz#820669
---
server/mjpeg_encoder.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/server/mjpeg_encoder.c b/server/mjpeg_encoder.c
index 6bb2f69..b812ba0 100644
--- a/server/mjpeg_encoder.c
+++ b/server/mjpeg_encoder.c
@@ -26,6 +26,7 @@
struct MJpegEncoder {
uint8_t *row;
+ uint32_t row_size;
int first_frame;
int quality;
@@ -196,6 +197,8 @@ int mjpeg_encoder_start_frame(MJpegEncoder *encoder, SpiceBitmapFmt format,
{
encoder->cinfo.in_color_space = JCS_RGB;
encoder->cinfo.input_components = 3;
+ encoder->pixel_converter = NULL;
+
switch (format) {
case SPICE_BITMAP_FMT_32BIT:
case SPICE_BITMAP_FMT_RGBA:
@@ -224,13 +227,16 @@ int mjpeg_encoder_start_frame(MJpegEncoder *encoder, SpiceBitmapFmt format,
return FALSE;
}
- if ((encoder->pixel_converter != NULL) && (encoder->row == NULL)) {
+ if (encoder->pixel_converter != NULL) {
unsigned int stride = width * 3;
/* check for integer overflow */
if (stride < width) {
return FALSE;
}
- encoder->row = spice_malloc(stride);
+ if (encoder->row_size < stride) {
+ encoder->row = spice_realloc(encoder->row, stride);
+ encoder->row_size = stride;
+ }
}
spice_jpeg_mem_dest(&encoder->cinfo, dest, dest_len);
--
1.7.7.6
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Linux ARM Kernel]
[Linux ARM]
[Linux Omap]
[Fedora ARM]
[IETF Annouce]
[Security]
[Bugtraq]
[Linux]
[Linux OMAP]
[Linux MIPS]
[ECOS]
[Tools]
[DDR & Rambus]
[Asterisk Internet PBX]
[Linux API]
[Monitors]
