Message ID | 20201006142840.289130-1-andreas.rheinhardt@gmail.com |
---|---|
State | Accepted |
Commit | bb13cdbe279d92f595243a9b3e2b91fb48cf146c |
Headers | show |
Series | [FFmpeg-devel,1/3] avfilter/vf_minterpolate: Reject too small dimensions | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
Andreas Rheinhardt: > The latter code relies upon the dimensions to be not too small; > otherwise one will call av_clip() with min > max lateron which aborts > in case ASSERT_LEVEL is >= 2 or one will get a nonsense result that may > lead to a heap-buffer-overflow/underflow. The latter has happened in > ticket #8248 which this commit fixes. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavfilter/vf_minterpolate.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c > index c9ce80420d..e1fe5e32b5 100644 > --- a/libavfilter/vf_minterpolate.c > +++ b/libavfilter/vf_minterpolate.c > @@ -363,6 +363,11 @@ static int config_input(AVFilterLink *inlink) > } > > if (mi_ctx->mi_mode == MI_MODE_MCI) { > + if (mi_ctx->b_width < 2 || mi_ctx->b_height < 2) { > + av_log(inlink->dst, AV_LOG_ERROR, "Height or width < %d\n", > + 2 * mi_ctx->mb_size); > + return AVERROR(EINVAL); > + } > mi_ctx->pixel_mvs = av_mallocz_array(width * height, sizeof(PixelMVS)); > mi_ctx->pixel_weights = av_mallocz_array(width * height, sizeof(PixelWeights)); > mi_ctx->pixel_refs = av_mallocz_array(width * height, sizeof(PixelRefs)); > Will apply this patchset tomorrow unless there are objections. - Andreas
diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index c9ce80420d..e1fe5e32b5 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -363,6 +363,11 @@ static int config_input(AVFilterLink *inlink) } if (mi_ctx->mi_mode == MI_MODE_MCI) { + if (mi_ctx->b_width < 2 || mi_ctx->b_height < 2) { + av_log(inlink->dst, AV_LOG_ERROR, "Height or width < %d\n", + 2 * mi_ctx->mb_size); + return AVERROR(EINVAL); + } mi_ctx->pixel_mvs = av_mallocz_array(width * height, sizeof(PixelMVS)); mi_ctx->pixel_weights = av_mallocz_array(width * height, sizeof(PixelWeights)); mi_ctx->pixel_refs = av_mallocz_array(width * height, sizeof(PixelRefs));
The latter code relies upon the dimensions to be not too small; otherwise one will call av_clip() with min > max lateron which aborts in case ASSERT_LEVEL is >= 2 or one will get a nonsense result that may lead to a heap-buffer-overflow/underflow. The latter has happened in ticket #8248 which this commit fixes. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavfilter/vf_minterpolate.c | 5 +++++ 1 file changed, 5 insertions(+)