From patchwork Sat Dec 10 12:06:59 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marton Balint <cus@passwd.hu>
X-Patchwork-Id: 1738
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.65.86 with SMTP id o83csp798715vsa;
	Sat, 10 Dec 2016 04:07:14 -0800 (PST)
X-Received: by 10.28.94.76 with SMTP id s73mr2464948wmb.107.1481371634832;
	Sat, 10 Dec 2016 04:07:14 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	d5si37692034wja.102.2016.12.10.04.07.14;
	Sat, 10 Dec 2016 04:07:14 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 148C5689E5B;
	Sat, 10 Dec 2016 14:07:08 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from iq.passwd.hu (iq.passwd.hu [217.27.212.140])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 659FA689A93
	for <ffmpeg-devel@ffmpeg.org>; Sat, 10 Dec 2016 14:07:02 +0200 (EET)
Received: from localhost (localhost [127.0.0.1])
	by iq.passwd.hu (Postfix) with ESMTP id 63F5E100CAC;
	Sat, 10 Dec 2016 13:07:06 +0100 (CET)
X-Virus-Scanned: amavisd-new at passwd.hu
Received: from iq.passwd.hu ([127.0.0.1])
	by localhost (iq.passwd.hu [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id RdeI-W925+YQ; Sat, 10 Dec 2016 13:07:05 +0100 (CET)
Received: from bluegene.passwd.hu (localhost [127.0.0.1])
	by iq.passwd.hu (Postfix) with ESMTP id D2C87FF6C4;
	Sat, 10 Dec 2016 13:07:04 +0100 (CET)
From: Marton Balint <cus@passwd.hu>
To: ffmpeg-devel@ffmpeg.org
Date: Sat, 10 Dec 2016 13:06:59 +0100
Message-Id: <20161210120659.5642-1-cus@passwd.hu>
X-Mailer: git-send-email 2.10.0
Subject: [FFmpeg-devel] [PATCH] ffplay: fix sws_scale possible out of bounds
	array access
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: Marton Balint <cus@passwd.hu>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

As I used simple RGBA formats for subtitles and for the video texture if
avfilter is disabled I kind of assumed that sws_scale won't access data
pointers and strides above index 0, but apparently that is not the case.

Fixes Coverity CID 1396737, 1396738, 1396739, 1396740.

Signed-off-by: Marton Balint <cus@passwd.hu>
---
 ffplay.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/ffplay.c b/ffplay.c
index bb781a2..911fd7f 100644
--- a/ffplay.c
+++ b/ffplay.c
@@ -883,11 +883,11 @@ static int upload_texture(SDL_Texture *tex, AVFrame *frame, struct SwsContext **
                 frame->width, frame->height, frame->format, frame->width, frame->height,
                 AV_PIX_FMT_BGRA, sws_flags, NULL, NULL, NULL);
             if (*img_convert_ctx != NULL) {
-                uint8_t *pixels;
-                int pitch;
-                if (!SDL_LockTexture(tex, NULL, (void **)&pixels, &pitch)) {
+                uint8_t *pixels[4];
+                int pitch[4];
+                if (!SDL_LockTexture(tex, NULL, (void **)pixels, pitch)) {
                     sws_scale(*img_convert_ctx, (const uint8_t * const *)frame->data, frame->linesize,
-                              0, frame->height, &pixels, &pitch);
+                              0, frame->height, pixels, pitch);
                     SDL_UnlockTexture(tex);
                 }
             } else {
@@ -913,8 +913,8 @@ static void video_image_display(VideoState *is)
 
                 if (vp->pts >= sp->pts + ((float) sp->sub.start_display_time / 1000)) {
                     if (!sp->uploaded) {
-                        uint8_t *pixels;
-                        int pitch;
+                        uint8_t* pixels[4];
+                        int pitch[4];
                         int i;
                         if (!sp->width || !sp->height) {
                             sp->width = vp->width;
@@ -939,9 +939,9 @@ static void video_image_display(VideoState *is)
                                 av_log(NULL, AV_LOG_FATAL, "Cannot initialize the conversion context\n");
                                 return;
                             }
-                            if (!SDL_LockTexture(is->sub_texture, (SDL_Rect *)sub_rect, (void **)&pixels, &pitch)) {
+                            if (!SDL_LockTexture(is->sub_texture, (SDL_Rect *)sub_rect, (void **)pixels, pitch)) {
                                 sws_scale(is->sub_convert_ctx, (const uint8_t * const *)sub_rect->data, sub_rect->linesize,
-                                          0, sub_rect->h, &pixels, &pitch);
+                                          0, sub_rect->h, pixels, pitch);
                                 SDL_UnlockTexture(is->sub_texture);
                             }
                         }