From patchwork Tue Oct 6 14:28:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 22743 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 75F0F44AF3D for ; Tue, 6 Oct 2020 18:28:23 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4A1A468B6D3; Tue, 6 Oct 2020 18:28:23 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 69E9A68B435 for ; Tue, 6 Oct 2020 18:28:17 +0300 (EEST) Received: by mail-ed1-f66.google.com with SMTP id dn5so14014908edb.10 for ; Tue, 06 Oct 2020 08:28:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=mZ9mhQw5gLRNJhVlgyYoUUpSDHtyaUi+alzm9wIZdgo=; b=tM8K18P7/qToMVU05sofG+Y509n57VIdvks00mGHHjib3BYBsTkIMOY+w/SraQb/H6 dNOf0HEOnxgTXqKl+oa3jLBeB/imhaFQYyjE9Vb9OIOCj5lBi100JpzscEZaZbEQMEmG L6FGCvp9D1tFwxWXVwDxzSXtVgaZ7MbwW1EJx6meHarpo5Gz5CZNIVGT7grZoxhy5mYo HJQdxF/WUGiPJ1fxUMPudRigtvv5fwMKecGnWH3YraoyYgXtQUEOjC+lKv/91pnBmtKX TDzjmPTS08i+HxUReEeJdNN9cDiME13u/8Mv9ZYXtx5cKMcAMc/3apvSG7s//whOO2Lv Mtkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=mZ9mhQw5gLRNJhVlgyYoUUpSDHtyaUi+alzm9wIZdgo=; b=iLX2bjo6V/vCekoVlRuSQh67eRR7h7wLNdwAFlJ8E2ArTw2lZzjdPqvC3Sr9lM4to1 AsATNpSJTP41sr4XUuEa5jWrMShWaCJgqEAZfIuBnUljw2Z6+DMZs+x3adzADh9TnORB SMYgi9bdN673D5Qc2d7EpPXNypBj0w5b73SwV77B1WmLChfFcuq+KlJBdQUbZbF/ZtE7 Vd7jhhwPqPxnHtf9lMeJs+wIqECRlr1A6h0mDAwHGeRZ5ZaCTV1yIKt1aLJRqEaIPlts Olj9UsrA0xD2aE95A3uKqDszH4PNQtRx/Xjuf+zNbO8MFRMi3rafthZDQyJ/vNDXPVf3 QgCA== X-Gm-Message-State: AOAM533ABVbXfO/koAtYOMbZKPkjxU3a9gKI/3PhBLa+ELdp0FiWQMUR N6HI0PJPAyQIyIrXvzZroNccCUh/VeM= X-Google-Smtp-Source: ABdhPJy1W8GYa/gVxspRGXkqT55VAFQlY3qrSsYvXbyZgY6DERnmqQ+IZKnGUp0djZlBBIlLNKfFKQ== X-Received: by 2002:a17:906:c109:: with SMTP id do9mr5440449ejc.142.1601994528587; Tue, 06 Oct 2020 07:28:48 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1aa4b.dynamic.kabel-deutschland.de. [188.193.170.75]) by smtp.gmail.com with ESMTPSA id z20sm2249781eji.104.2020.10.06.07.28.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Oct 2020 07:28:47 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Tue, 6 Oct 2020 16:28:38 +0200 Message-Id: <20201006142840.289130-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/3] avfilter/vf_minterpolate: Reject too small dimensions X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The latter code relies upon the dimensions to be not too small; otherwise one will call av_clip() with min > max lateron which aborts in case ASSERT_LEVEL is >= 2 or one will get a nonsense result that may lead to a heap-buffer-overflow/underflow. The latter has happened in ticket #8248 which this commit fixes. Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_minterpolate.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index c9ce80420d..e1fe5e32b5 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -363,6 +363,11 @@ static int config_input(AVFilterLink *inlink) } if (mi_ctx->mi_mode == MI_MODE_MCI) { + if (mi_ctx->b_width < 2 || mi_ctx->b_height < 2) { + av_log(inlink->dst, AV_LOG_ERROR, "Height or width < %d\n", + 2 * mi_ctx->mb_size); + return AVERROR(EINVAL); + } mi_ctx->pixel_mvs = av_mallocz_array(width * height, sizeof(PixelMVS)); mi_ctx->pixel_weights = av_mallocz_array(width * height, sizeof(PixelWeights)); mi_ctx->pixel_refs = av_mallocz_array(width * height, sizeof(PixelRefs));