Message ID | 20200915074000.102622-22-andreas.rheinhardt@gmail.com |
---|---|
State | Accepted |
Commit | e42fc6263379176869dd9a6467e37f9956d56431 |
Headers | show |
Series | [FFmpeg-devel,01/30] avcodec/flashsvenc: Avoid allocation of buffer, fix memleak | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
On Tue, Sep 15, 2020 at 09:39:52AM +0200, Andreas Rheinhardt wrote: > The MobiClip decoder uses adjacent pixels for prediction; yet when > accessing the left pixel, it was forgotten to clip the x coordinate. > This results in an heap-buffer-overflow. It can e.g. be reproduced with > the sample from https://samples.ffmpeg.org/V-codecs/MOHD/crap.avi when > forcing the video decoder to mobiclip. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavcodec/mobiclip.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > ok > diff --git a/libavcodec/mobiclip.c b/libavcodec/mobiclip.c > index 8758e7f617..47387fce90 100644 > --- a/libavcodec/mobiclip.c > +++ b/libavcodec/mobiclip.c > @@ -905,7 +905,7 @@ static int predict_intra(AVCodecContext *avctx, AVFrame *frame, int ax, int ay, > int arr1[16]; > int arr2[16]; > uint8_t *top = frame->data[plane] + FFMAX(ay - 1, 0) * frame->linesize[plane] + ax; > - uint8_t *left = frame->data[plane] + ay * frame->linesize[plane] + ax - 1; > + uint8_t *left = frame->data[plane] + ay * frame->linesize[plane] + FFMAX(ax - 1, 0); > int bottommost = frame->data[plane][(ay + size - 1) * frame->linesize[plane] + FFMAX(ax - 1, 0)]; > int rightmost = frame->data[plane][FFMAX(ay - 1, 0) * frame->linesize[plane] + ax + size - 1]; > int avg = (bottommost + rightmost + 1) / 2 + 2 * get_se_golomb(gb); > -- > 2.25.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavcodec/mobiclip.c b/libavcodec/mobiclip.c index 8758e7f617..47387fce90 100644 --- a/libavcodec/mobiclip.c +++ b/libavcodec/mobiclip.c @@ -905,7 +905,7 @@ static int predict_intra(AVCodecContext *avctx, AVFrame *frame, int ax, int ay, int arr1[16]; int arr2[16]; uint8_t *top = frame->data[plane] + FFMAX(ay - 1, 0) * frame->linesize[plane] + ax; - uint8_t *left = frame->data[plane] + ay * frame->linesize[plane] + ax - 1; + uint8_t *left = frame->data[plane] + ay * frame->linesize[plane] + FFMAX(ax - 1, 0); int bottommost = frame->data[plane][(ay + size - 1) * frame->linesize[plane] + FFMAX(ax - 1, 0)]; int rightmost = frame->data[plane][FFMAX(ay - 1, 0) * frame->linesize[plane] + ax + size - 1]; int avg = (bottommost + rightmost + 1) / 2 + 2 * get_se_golomb(gb);
The MobiClip decoder uses adjacent pixels for prediction; yet when accessing the left pixel, it was forgotten to clip the x coordinate. This results in an heap-buffer-overflow. It can e.g. be reproduced with the sample from https://samples.ffmpeg.org/V-codecs/MOHD/crap.avi when forcing the video decoder to mobiclip. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavcodec/mobiclip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)