diff mbox series

[FFmpeg-devel] lavc/vvc: Increase IntraEdgeParams buffer size

Message ID 20240129232104.4193951-1-post@frankplowman.com
State Accepted
Commit 85e031d5bfa83c25e4b644e3453fe8073d959a4c
Headers show
Series [FFmpeg-devel] lavc/vvc: Increase IntraEdgeParams buffer size | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Frank Plowman Jan. 29, 2024, 11:22 p.m. UTC 
The reference line buffers are used with indices in the range
-MAX_TB_SIZE - 3 to refw + FFMAX(1, w/h) * ref_idx + 1, which is
at most 5*MAX_TB_SIZE + 1.

Fixes buffer overflows.
http://fate.ffmpeg.org/report.cgi?slot=armv7-linux-gcc-9&time=20240124051736
---
 libavcodec/vvc/vvcdsp.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

James Almer Jan. 29, 2024, 11:32 p.m. UTC | #1 
On 1/29/2024 8:22 PM, Frank Plowman wrote:
> The reference line buffers are used with indices in the range
> -MAX_TB_SIZE - 3 to refw + FFMAX(1, w/h) * ref_idx + 1, which is
> at most 5*MAX_TB_SIZE + 1.
> 
> Fixes buffer overflows.
> http://fate.ffmpeg.org/report.cgi?slot=armv7-linux-gcc-9&time=20240124051736
> ---
>   libavcodec/vvc/vvcdsp.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/libavcodec/vvc/vvcdsp.c b/libavcodec/vvc/vvcdsp.c
> index c82ea7be30..56e71d5163 100644
> --- a/libavcodec/vvc/vvcdsp.c
> +++ b/libavcodec/vvc/vvcdsp.c
> @@ -87,10 +87,10 @@ typedef struct IntraEdgeParams {
>       uint8_t* left;
>       int filter_flag;
>   
> -    uint16_t left_array[3 * MAX_TB_SIZE + 3];
> -    uint16_t filtered_left_array[3 * MAX_TB_SIZE + 3];
> -    uint16_t top_array[3 * MAX_TB_SIZE + 3];
> -    uint16_t filtered_top_array[3 * MAX_TB_SIZE + 3];
> +    uint16_t left_array[6 * MAX_TB_SIZE + 5];
> +    uint16_t filtered_left_array[6 * MAX_TB_SIZE + 5];
> +    uint16_t top_array[6 * MAX_TB_SIZE + 5];
> +    uint16_t filtered_top_array[6 * MAX_TB_SIZE + 5];
>   } IntraEdgeParams;
>   
>   #define PROF_BORDER_EXT         1

Applied, thanks.
diff mbox series

Patch

diff --git a/libavcodec/vvc/vvcdsp.c b/libavcodec/vvc/vvcdsp.c
index c82ea7be30..56e71d5163 100644
--- a/libavcodec/vvc/vvcdsp.c
+++ b/libavcodec/vvc/vvcdsp.c
@@ -87,10 +87,10 @@  typedef struct IntraEdgeParams {
     uint8_t* left;
     int filter_flag;
 
-    uint16_t left_array[3 * MAX_TB_SIZE + 3];
-    uint16_t filtered_left_array[3 * MAX_TB_SIZE + 3];
-    uint16_t top_array[3 * MAX_TB_SIZE + 3];
-    uint16_t filtered_top_array[3 * MAX_TB_SIZE + 3];
+    uint16_t left_array[6 * MAX_TB_SIZE + 5];
+    uint16_t filtered_left_array[6 * MAX_TB_SIZE + 5];
+    uint16_t top_array[6 * MAX_TB_SIZE + 5];
+    uint16_t filtered_top_array[6 * MAX_TB_SIZE + 5];
 } IntraEdgeParams;
 
 #define PROF_BORDER_EXT         1