From patchwork Fri Jul 17 01:29:39 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Almer <jamrial@gmail.com>
X-Patchwork-Id: 21135
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id C57B044B6B6
	for <patchwork@ffaux-bg.ffmpeg.org>; Fri, 17 Jul 2020 04:30:00 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A05F368B5F1;
	Fri, 17 Jul 2020 04:30:00 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-qt1-f194.google.com (mail-qt1-f194.google.com
 [209.85.160.194])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5E8D968B588
 for <ffmpeg-devel@ffmpeg.org>; Fri, 17 Jul 2020 04:29:54 +0300 (EEST)
Received: by mail-qt1-f194.google.com with SMTP id g13so6507599qtv.8
 for <ffmpeg-devel@ffmpeg.org>; Thu, 16 Jul 2020 18:29:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=aWUcipZG0uF9K23G19iH2UlBTy+nceukDf8i/BFH9Vc=;
 b=CFwASV90TnQvYCFW3MDq2KmbrkQhqQAKtzhwv3UjLPQ+zSYWGfy45yCM8GI9Krh5fS
 HiT5CER0YQnTliCrgxXkhpk0qZdGOqAjSw+u8fIm3NBY8v2FRrcH+uWir2FxLT2VVuIW
 69O9oFoGkwZ4kj3PuxOBFuumioXm1ZpSxsHbO7luBcm1lq4k+7YMMD04sUmnRjyAjJ7m
 wL5284rANOSJh5dfO+u0l9bBfW6Sp6+QkKp6CLYnAuqeqziHzgJP56ZIbT3DVhaCqtQB
 JYogyme3bSdwLQA8yI3zosQJE6nw+KGoneNWnWRkrn+70Zbao2ylAWtAnMq5A9IJnl26
 tHlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=aWUcipZG0uF9K23G19iH2UlBTy+nceukDf8i/BFH9Vc=;
 b=IDY7Ynn5/Yx2h3KHBC8foR6gD54Rj7OcKlc7goYkd/p7KyqX5dRAn8bKLJ4qm1SfiZ
 7IJXpcZ1rVOpJeY3N8Rs+tHtF+oLb7vQ83RrbnG4NSsbMm2FYQ/9oEi7MupkRmBGoRR/
 dMzbJc8weCmPI7v63rB6cAQR8mWAT1dHOsYwAYwqk4mOJen2YZX70FHDy/mbMDl97ye1
 WMLkrMmYyeOOhAhEOjNqkvLnZ7YTCSbBEE63aSNE0Cd+ZMmwgaUzmhO6Hu/22Pd2KJJ8
 gB6URtPLGO0s1ABWq32fnNKT+GFCg+7AIcqgKqxNPiiEYgkaaqiHhH3HlpZf908aw1P2
 /v0w==
X-Gm-Message-State: AOAM5319wFWV15Z1K1y9tfO5G5wMzcm/rG9b2kz9pV9S22laONIa1CAS
 RD+1M+VheahwR3JcXDhBu9z55t4C
X-Google-Smtp-Source: 
 ABdhPJyn6yZrM2Y4Yt9ZzuvGNqCh4y/JiDqytVqAhHFOGyBnrWp3tXQCUCs02GuNRQzMCSonKtU86w==
X-Received: by 2002:ac8:3778:: with SMTP id p53mr8405900qtb.228.1594949392710;
 Thu, 16 Jul 2020 18:29:52 -0700 (PDT)
Received: from localhost.localdomain ([191.84.229.34])
 by smtp.gmail.com with ESMTPSA id y23sm9126749qkj.25.2020.07.16.18.29.51
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 16 Jul 2020 18:29:52 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 16 Jul 2020 22:29:39 -0300
Message-Id: <20200717012939.9361-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avcodec/libdav1d: use
	av_image_get_buffer_size() to calculate frame size
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Calling av_image_fill_arrays() with NULL as src argument may result in UB.

Signed-off-by: James Almer <jamrial@gmail.com>
---
It will still happen even after this patch because of the current
av_image_get_buffer_size() implementation, but will stop being the case after
the patchset by Brian Kim is applied.

 libavcodec/libdav1d.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/libdav1d.c b/libavcodec/libdav1d.c
index bbb3ec1e6c..132d344296 100644
--- a/libavcodec/libdav1d.c
+++ b/libavcodec/libdav1d.c
@@ -66,12 +66,11 @@ static int libdav1d_picture_allocator(Dav1dPicture *p, void *cookie)
 {
     Libdav1dContext *dav1d = cookie;
     enum AVPixelFormat format = pix_fmt[p->p.layout][p->seq_hdr->hbd];
-    int ret, linesize[4], h = FFALIGN(p->p.h, 128);
+    int ret, linesize[4], h = FFALIGN(p->p.h, 128), w = FFALIGN(p->p.w, 128);
     uint8_t *aligned_ptr, *data[4];
     AVBufferRef *buf;
 
-    ret = av_image_fill_arrays(data, linesize, NULL, format, FFALIGN(p->p.w, 128),
-                               h, DAV1D_PICTURE_ALIGNMENT);
+    ret = av_image_get_buffer_size(format, w, h, DAV1D_PICTURE_ALIGNMENT);
     if (ret < 0)
         return ret;
 
@@ -94,7 +93,8 @@ static int libdav1d_picture_allocator(Dav1dPicture *p, void *cookie)
     // Use the extra DAV1D_PICTURE_ALIGNMENT padding bytes in the buffer to align it
     // if required.
     aligned_ptr = (uint8_t *)FFALIGN((uintptr_t)buf->data, DAV1D_PICTURE_ALIGNMENT);
-    ret = av_image_fill_pointers(data, format, h, aligned_ptr, linesize);
+    ret = av_image_fill_arrays(data, linesize, aligned_ptr, format, w, h,
+                               DAV1D_PICTURE_ALIGNMENT);
     if (ret < 0) {
         av_buffer_unref(&buf);
         return ret;