From patchwork Tue Jul  2 18:38:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marvin Scholz <epirat07@gmail.com>
X-Patchwork-Id: 50289
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:cc64:0:b0:482:c625:d099 with SMTP id k4csp2646458vqv;
        Tue, 2 Jul 2024 12:04:04 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXq/IJ20C+1Q0OhLjd41ewfzivwZ6EhfkzKL5Syq4dCc90OkNGpK+v0toAGNIa1FaouHGlcF9emX/xlKMCPG4bWPBl7ITjTf8CHzw==
X-Google-Smtp-Source: 
 AGHT+IFMxyAlY6HSA1I21Z8uUk96ioLzH7rwviXxAi3RfOTvYkL2Wkp+6eKEUmV1czPmVCnNNdNp
X-Received: by 2002:a17:906:3993:b0:a72:7b17:5d68 with SMTP id
 a640c23a62f3a-a751386eccfmr711242866b.3.1719947044541;
        Tue, 02 Jul 2024 12:04:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1719947044; cv=none;
        d=google.com; s=arc-20160816;
        b=dobzO2xSm8quUZWRaR31HSxSWO8TjEYbFEd4q0xk8ZCRcg43hnqvblUExmmtKrChs5
         m9rVrJ+zmmVP0JJrr6jJ7zFmlz8PwB3MA+1yorHN+QLcq4ygsii0coy1qS3X0EjIpxvN
         d7Awyn/j/lzXMS8J4Y19y3khpdKY0wdnjIs7ZvntocbCF92WJ0RutcQC/0OUCYQ4RJlo
         CRKR9SwUkBM28Kk+sV+2JkDnaI+Pp+9O8pMYX9dLfxKVh/z7AhvRml/soPz9VG1JkmUD
         j8bwNZIvOc4HY1cuIZp73x3/vZsjhUoRjWFyUPKkUeNfIzli3CAOHPW7MhgdnNETFJbL
         fxfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:date:from:to:message-id:dkim-signature
         :delivered-to;
        bh=Jcb/fq2iuZ/2C1VPJjcDFbZj2XAe0GrH29MWAUDRkxs=;
        fh=5IeVwzS1vbVKjIV8MP3mnmnRtZGb8uteQ9r4QD2keV0=;
        b=IpEFyuYsPJIwBpDPycYBDun0Z2x6DrPcKJ0gAn0yeDYciyAYEJEhH/j2yDflc9FgpJ
         sAIkHXddt7Pic4d0gHElnyWbrN6EeEa2pd0IXRrtpLqV4SdT1nXFoLMmG6jhjatZjwgd
         3gRiA02L+OHUmwksf37DN3Yqtdguq9cp3GcAp6uhcQiBrqPCCGFI75toBukuwyD6agzf
         PY4Y8eR1k20Z4522cHhUjW28hpMtqxoGytAnXI/ggsepIB59jQ3qF6oDSaD9GekBntbg
         ra2KbWFPQq5ICwDthZOAVQ7jO9Q3vtDopZyAzt7jNiQxLKilMs2GUdMuwcG4BU2EBKSd
         tqkQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=OCU6jZ1y;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 a640c23a62f3a-a72ab0969c8si480179266b.814.2024.07.02.12.04.04;
        Tue, 02 Jul 2024 12:04:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=OCU6jZ1y;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5C60168D88F;
	Tue,  2 Jul 2024 21:38:50 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com
 [209.85.208.41])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 048C768D88F
 for <ffmpeg-devel@ffmpeg.org>; Tue,  2 Jul 2024 21:38:43 +0300 (EEST)
Received: by mail-ed1-f41.google.com with SMTP id
 4fb4d7f45d1cf-57cbc66a0a6so2978869a12.1
 for <ffmpeg-devel@ffmpeg.org>; Tue, 02 Jul 2024 11:38:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1719945522; x=1720550322; darn=ffmpeg.org;
 h=subject:date:from:to:message-id:from:to:cc:subject:date:message-id
 :reply-to; bh=jzS1NR6oXJzpJnbaCaEhQklTrP8E/WIRkFmzVLE1qeU=;
 b=OCU6jZ1ytmTpbjwjXjyWCtEMBEMM0AcF8UDPJkCWRZI1c/l4+X9suQIEpSKaoOuzkv
 hwEJWoUsv9jNtzTzL6S4+/Q016a+VrDqX5x/D2c14nm0kEt//ogvE+cJxeH1NVu6srx1
 Rsky53ENxZKtCjqjIj+3odTTmuatLby8LkQRR4txFUsapDZHdowXqfXXEWWob9qCTs3W
 a40RfXWCQVrJl3QWpwFgGDYCb81SC5l8pHs+cVSsNFbNtBkuWPyQ+YP3txCbeI4PMG9b
 /IxyJkdGx/cn+wT3u+jJ7WyW9GO83WjKi+2jK2m4NBnxm6vmXJRdizux0Wivrc8bZQZO
 yoag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1719945522; x=1720550322;
 h=subject:date:from:to:message-id:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=jzS1NR6oXJzpJnbaCaEhQklTrP8E/WIRkFmzVLE1qeU=;
 b=hbC33YSWeBKXHQKCIGMlv99rDwPDj4DA+HWRQ4GQKod4Tt2YMCvKMOLTfyKhy8zryU
 HQclo+EFu+Np835FUeQ5DkeQt5pEW+DNiUWSgA1MR9W5n4jfRFDp8+DNRbnlfOQqTlOM
 N9UsenxbjEZT98hYvcGWJT2Z7BZYtWWvJhs+cXkKK9hqHT0fF+zj8inxvcpVuaWR/uGa
 JwdFJNnf40GG5fkBxhPxH876xOt/BXACYN6u1rgwlojAGDJG0r196G//xqCtbbnVYA2v
 fSDGOwnA6s0DQrFsLhPY1jUQ1K41Nb1UblvsaxnlbfdRDntkx8QC6HjYUNchNqWaIZGf
 ZUiw==
X-Gm-Message-State: AOJu0YxECXYGf4L9bHgc8mhsbk2JwhHtsR9Oq1w8nzWpt8UwxebHkOZ7
 FLOYeDZbNygNrP1IBhsDp8/OuoUq+EpCe4kHA2XaBe04Wym8iTY1urs2Hw==
X-Received: by 2002:a05:6402:3550:b0:58c:77b4:404b with SMTP id
 4fb4d7f45d1cf-58c77b441e2mr344652a12.15.1719945522164;
 Tue, 02 Jul 2024 11:38:42 -0700 (PDT)
Received: from localhost
 (p200300cccf0d6b0015dc1b9b6d5e601e.dip0.t-ipconnect.de.
 [2003:cc:cf0d:6b00:15dc:1b9b:6d5e:601e])
 by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-58b43df9efdsm1305433a12.57.2024.07.02.11.38.41
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 02 Jul 2024 11:38:41 -0700 (PDT)
Message-Id: <D2F9SW6UXDCW.16Z6454LXC9CP@gmail.com>
To: <ffmpeg-devel@ffmpeg.org>
From: "Marvin Scholz" <epirat07@gmail.com>
Date: Tue, 2 Jul 2024 20:38:00 +0200
Subject: [FFmpeg-devel] [PATCH] lavfi/perlin: Fix out of bounds stack buffer
 write
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: AnACSHqtA/nZ

An incorrect calculation in ff_perlin_init causes a write to the
stack array at index 256, which is out of bounds.

Fixes: CID1608711
---
 libavfilter/perlin.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


base-commit: e783e45e29e78616debba7f6d1fe6e54dc336496

diff --git a/libavfilter/perlin.c b/libavfilter/perlin.c
index 09bae7ad33..ffad8c1e4e 100644
--- a/libavfilter/perlin.c
+++ b/libavfilter/perlin.c
@@ -129,7 +129,7 @@ int ff_perlin_init(FFPerlin *perlin, double period, int octaves, double persiste
         for (i = 0; i < 256; i++) {
             unsigned int random_idx = av_lfg_get(&lfg) % (256-i);
             uint8_t random_val = random_permutations[random_idx];
-            random_permutations[random_idx] = random_permutations[256-i];
+            random_permutations[random_idx] = random_permutations[255-i];
 
             perlin->permutations[i] = perlin->permutations[i+256] = random_val;
         }