videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations.

This can overread (either before start or beyond end) of the buffer in
Nx1 (i.e. height=1) images.

Fixes mozilla bug 1240080.

(cherry picked from commit 0f88b3f82fafd536979993aeaafcb11a22266dbd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 6 insertions, 15 deletions

diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm
index 77189fa6ef..0685b03c2b 100644
--- a/libavcodec/x86/videodsp.asm
+++ b/libavcodec/x86/videodsp.asm
@@ -184,14 +184,10 @@ hvar_fn
     mov            valb, [srcq+%2-1]
 %elif (%2-%%off) == 2
     mov            valw, [srcq+%2-2]
-%elifidn %1, body
+%else
     mov            valb, [srcq+%2-1]
-    sal            vald, 16
+    ror            vald, 16
     mov            valw, [srcq+%2-3]
-%elifidn %1, bottom
-    movd mm %+ %%mmx_idx, [srcq+%2-4]
-%else ; top
-    movd mm %+ %%mmx_idx, [srcq+%2-3]
 %endif
 %endif ; (%2-%%off) >= 1
 %endmacro ; READ_NUM_BYTES
@@ -244,18 +240,13 @@ hvar_fn
     mov     [dstq+%2-1], valb
 %elif (%2-%%off) == 2
     mov     [dstq+%2-2], valw
-%elifidn %1, body
-    mov     [dstq+%2-3], valw
-    sar            vald, 16
-    mov     [dstq+%2-1], valb
 %else
-    movd           vald, mm %+ %%mmx_idx
-%ifidn %1, bottom
-    sar            vald, 8
-%endif
     mov     [dstq+%2-3], valw
-    sar            vald, 16
+    ror            vald, 16
     mov     [dstq+%2-1], valb
+%ifnidn %1, body
+    ror            vald, 16
+%endif
 %endif
 %endif ; (%2-%%off) >= 1
 %endmacro ; WRITE_NUM_BYTES