From patchwork Sun May 12 12:40:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Richter X-Patchwork-Id: 13085 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 554FA44662A for ; Sun, 12 May 2019 15:40:19 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2EBD4680A00; Sun, 12 May 2019 15:40:19 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ua1-f44.google.com (mail-ua1-f44.google.com [209.85.222.44]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A51246804B6 for ; Sun, 12 May 2019 15:40:12 +0300 (EEST) Received: by mail-ua1-f44.google.com with SMTP id p13so3789944uaa.11 for ; Sun, 12 May 2019 05:40:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=b6LM2gJOLvV+2QFs3pQ/kRHoI1Be649IhrTjuW3QHSs=; b=Qk5UwTUbQcNOe694XEou03YkaN4tkjrvPY9f7yqIbbid7Xt29f3z9XouErXEvwQjsA GIMjogvnQOgGalTMpjV1O+BZC+mFOtg0z9+PRtndQFiCoEWCys41Ff0bFGpYEPUra+hF C7zfV1Rfru3BIYz6K577I29eGAZHuIPtTApY2+AB6bj4Q/rHHFgevAc6sP73ZPJBbcRH x8CiH0w263sCgP0PGsh5W/BFkq1vKEkO9pPSNtxvmGNWov1GS9Lej8Egziq4juXk1af4 +v5DwgdkoJ8YNXFTCsNX8oGDZEM8VCl7t2KOixTHyQXWaqQIjLtmpCv6O6loqqixYXoZ v0Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=b6LM2gJOLvV+2QFs3pQ/kRHoI1Be649IhrTjuW3QHSs=; b=n4WejXgsoz7T5VKz6eMp2i99FA+twjfATQZ4W9uLDe1NZH4unVJPfIoV0flifxNRLN bR8QYrvCOy8fBT4bE/Y1ES32JzTFkHA9+kojIGk4eRK/cRGXVMpHtk8qeKqsKrVqhvWh uGq6uiV7NoivKZzWug01utEFyR+XRLv3FvaoqM3/4cHhxXFm+axAjnMBW6pvlFYNxb4Y LgNLRNL0iEA8C2vvA8CFu819yJ3Bp4mC/XVVFjVaFKgN1rIqBhKzAJ8qnGv0jnQoHuSB BOSszUE1DXf+W4mbxMkpBZ2+1MnQhmhm0IEtNVUBdvBfJKojtDeqGMvrBvJEDqAKPMfy 10sg== X-Gm-Message-State: APjAAAVU3uTMzd0MIoCupEF+wYmsziIh1tszu55o4y3N7eKHI17wL6YK +xVa/wMNL9uDx7g2YoY+YOPE9stbgTkcw++4EsxYYH++ X-Google-Smtp-Source: APXvYqzE8xKxwta7XNBU02Ew4XjhbYaS/vLH9mof7ojfqDbnOZEYOFr0obOhMFVOzz5N3Fd1K28e2bQHrwDDV42XSDM= X-Received: by 2002:ab0:3058:: with SMTP id x24mr7654787ual.95.1557664811043; Sun, 12 May 2019 05:40:11 -0700 (PDT) MIME-Version: 1.0 From: Adam Richter Date: Sun, 12 May 2019 05:40:00 -0700 Message-ID: To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH] libswcale: Fix possible string overflow in test X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" This is a possible fix for a string overflow in some sscanf calls in libswcale/tests/swscale.c, in the function fileTest(), found by cppcheck. Please see the attachment for more discussion of this. Thanks in advance for considering this patch. Adam From 8b5f994bcd2576588149f228695823b5cf8d3dc8 Mon Sep 17 00:00:00 2001 From: Adam Richter Date: Sun, 12 May 2019 05:03:25 -0700 Subject: [PATCH] libswcale: Fix possible string overflow in test. In libswcale/tests/swcale.c, the function fileTest() calls sscanf in an argument of "%12s" on character srcStr[] and dstStr[], which are only 12 bytes. So, if the input string is 12 characters, a terminating null byte can be written past the end of these arrays. This bug was found by cppcheck. I am not an ffmpeg or libswcale developer, and I believe that this is the first patch I am submitting to ffmpeg, so please let me know if I am doing anything wrong in the patch submission process. For the same reason, please examine this patch skeptically, especially considering that I have not tested this patch other than to see that it compiled without complaint and that "make fate" completed with a zero exit code. I do not know if this program actually expects these input strings to be a maximum of 11 or 12 characters long. In this patch, I assume that they could be 12 characters long, so I have extended the array sizes, but perhaps a more correct fix might be to change the "%12s" instances to "%11s" instead. Thanks in advance for considering this patch. Signed-off-by: Adam Richter --- libswscale/tests/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index e72c4c3306..cb731f6211 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -312,10 +312,10 @@ static int fileTest(const uint8_t * const ref[4], int refStride[4], while (fgets(buf, sizeof(buf), fp)) { struct Results r; enum AVPixelFormat srcFormat; - char srcStr[12]; + char srcStr[13]; int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; - char dstStr[12]; + char dstStr[13]; int dstW = 0, dstH = 0; int flags; int ret; -- 2.21.0