Message ID | 20161108002153.66910-1-bangnoise@gmail.com |
---|---|
State | Superseded |
Headers | show |
On Tue, Nov 08, 2016 at 12:21:52AM +0000, Tom Butterworth wrote: > This allows a subsequent change to compress directly into the output packet when possible. > --- > libavcodec/hapenc.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/libavcodec/hapenc.c b/libavcodec/hapenc.c > index 076923b..7056b62 100644 > --- a/libavcodec/hapenc.c > +++ b/libavcodec/hapenc.c > @@ -52,10 +52,9 @@ enum HapHeaderLength { > HAP_HDR_LONG = 8, > }; > > -static void compress_texture(AVCodecContext *avctx, const AVFrame *f) > +static void compress_texture(AVCodecContext *avctx, uint8_t *out, const AVFrame *f) passing an output array without array size into a function raises a red security flag. This should have some check or assert to protect against overwriting beyond the array end. And or the size requirements should be documented so that the code allocating and te code writing stay in sync Even if it never can overwrite ATM, assumtations can easily get broken or get out of sync by mistake ... while this isnt exactly a problem introduced by this patch i think this should be improved [...]
On Tue, 8 Nov 2016 at 12:44 Michael Niedermayer <michael@niedermayer.cc> wrote: ... > > -static void compress_texture(AVCodecContext *avctx, const AVFrame *f) > > +static void compress_texture(AVCodecContext *avctx, uint8_t *out, const > AVFrame *f) > > passing an output array without array size into a function raises a > red security flag. > > This should have some check or assert to protect against overwriting > beyond the array end. > And or the size requirements should be documented so that the code > allocating and te code writing stay in sync > > Even if it never can overwrite ATM, assumtations can easily get > broken or get out of sync by mistake ... > > while this isnt exactly a problem introduced by this patch i think this > should be improved > Okay, revised patches will follow
diff --git a/libavcodec/hapenc.c b/libavcodec/hapenc.c index 076923b..7056b62 100644 --- a/libavcodec/hapenc.c +++ b/libavcodec/hapenc.c @@ -52,10 +52,9 @@ enum HapHeaderLength { HAP_HDR_LONG = 8, }; -static void compress_texture(AVCodecContext *avctx, const AVFrame *f) +static void compress_texture(AVCodecContext *avctx, uint8_t *out, const AVFrame *f) { HapContext *ctx = avctx->priv_data; - uint8_t *out = ctx->tex_buf; int i, j; for (j = 0; j < avctx->height; j += 4) { @@ -201,7 +200,7 @@ static int hap_encode(AVCodecContext *avctx, AVPacket *pkt, return ret; /* DXTC compression. */ - compress_texture(avctx, frame); + compress_texture(avctx, ctx->tex_buf, frame); /* Compress (using Snappy) the frame */ final_data_size = hap_compress_frame(avctx, pkt->data + header_length);