From patchwork Tue Oct 2 01:04:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 10548 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:ab0:73d2:0:0:0:0:0 with SMTP id m18csp2325093uaq; Mon, 1 Oct 2018 18:06:12 -0700 (PDT) X-Google-Smtp-Source: ACcGV623NaEQHzAfbhZn4rY538pKCr580OeanOpONk+695C3ILP6h742cE2z5KqGjSLUZxmBnImH X-Received: by 2002:adf:df09:: with SMTP id y9-v6mr8982914wrl.26.1538442372762; Mon, 01 Oct 2018 18:06:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538442372; cv=none; d=google.com; s=arc-20160816; b=y7aUpKwcaHeDM7GkOq7QrKZei4/FLMugfuJ38xcUXNDcpigXkb/Skw/zPEKf7pYdD4 modLfvKF6qjSQo0DbJU4ifeyX4S2YL4SV4MK/6EBe0d1Iztsr3eynOHsgzNgdQSwGNnr ETBP28EAV05BGzazJmT1bAO1Soxc7LBVpew1JZHVGqllbAlopEL9CVscJ40N7urEj6oX m42vVLNy09/UcDh1yiZRt34MVdvVfQNyBOMSt3ju1+BJ1mdLKkq3/DQ40IS4t+V/fu/u MLcLfUs9s09H7lzRtjJDGPgY3Dy8Sh7w688I+iQ7COsen31bSxjspvj+oJ5xxpJFb6VS FitA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:delivered-to; bh=KQ1MaTfr3NUqQdohKiivs+fSlhMnK6V3cYrnpimxJ1M=; b=BhH3tlt35OKXBwm+I73V62mkhqLsJAtpZNFM6DsQThcelyZWVOHYFW7b0x9gqLwhpA +rTFmx1UHTGfI/qDBHRWsS9ahG6gJLEsyZyMKCi8WeHfWMWyip5+z73BXJovGYQIq+53 ozWeH67wd2uS9pCFuZXy4YnzC1gFxNodFxaUJmAqquaa/bzEhQlaK0QILNBBJcVgacRU cvDd7V2P5PS2JqVej856rdxiwLpxDEQiCWoyATIIaly2XmZmz6p9IgywdXPXneZPC05k Wg7gIQ3n1vytLru1jNwzgki5xfhJErciJajKyV8c2s0ZOLwY+67BKrGctaij1fl6BkpH 5AWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id s132-v6si9106207wmd.60.2018.10.01.18.06.12; Mon, 01 Oct 2018 18:06:12 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BF6C968A1C6; Tue, 2 Oct 2018 04:05:42 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe06-1.mx.upcmail.net (vie01a-dmta-pe06-1.mx.upcmail.net [84.116.36.14]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 517BE68A19A for ; Tue, 2 Oct 2018 04:05:36 +0300 (EEST) Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1g798M-0003J6-UX for ffmpeg-devel@ffmpeg.org; Tue, 02 Oct 2018 03:05:54 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id iR5q1y00m0S5wYM01R5rzR; Tue, 02 Oct 2018 03:05:51 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 2 Oct 2018 03:04:51 +0200 Message-Id: <20181002010452.12356-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181002010452.12356-1-michael@niedermayer.cc> References: <20181002010452.12356-1-michael@niedermayer.cc> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 2/3] avcodec/rasc: Fix off by 1 error in vertical coordinate X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: out of array read Fixes: 10311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-4856330905452544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/rasc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index fbbb134f4b..eb021681c6 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -272,9 +272,9 @@ static int decode_move(AVCodecContext *avctx, if (!s->frame2->data[0] || !s->frame1->data[0]) return AVERROR_INVALIDDATA; - b1 = s->frame1->data[0] + s->frame1->linesize[0] * (start_y + h) + start_x * s->bpp; - b2 = s->frame2->data[0] + s->frame2->linesize[0] * (start_y + h) + start_x * s->bpp; - e2 = s->frame2->data[0] + s->frame2->linesize[0] * (mov_y + h) + mov_x * s->bpp; + b1 = s->frame1->data[0] + s->frame1->linesize[0] * (start_y + h - 1) + start_x * s->bpp; + b2 = s->frame2->data[0] + s->frame2->linesize[0] * (start_y + h - 1) + start_x * s->bpp; + e2 = s->frame2->data[0] + s->frame2->linesize[0] * (mov_y + h - 1) + mov_x * s->bpp; if (type == 2) { for (int j = 0; j < h; j++) {