[FFmpeg-devel] libx264.c:encode_nals can overwrite buffers
Paul Flinders
paul
Fri Dec 31 23:50:12 CET 2010
Despite being passed in the buffer size libx264.c:encode_nals (and
libxavs:encode_nals) make no checks and assume that the buffer is large
enough to hold the output data and will overflow silently if it isn't.
This shows up with current versions of kdenlive - trying to use their
"lossless fast" preset causes a crash in the mlt command line renderer.
Ultimately this is because mlt allocates too small a buffer and the
lossless encoder can generate quite large frames but ffmpeg should
really be able to catch this and generate an error, rather than just
causing a crash.
The following patch adds the necessary checks.
--- libx264.c 2010-12-31 22:28:07.000000000 +0000
+++ libx264.c~ 2010-12-26 16:32:46.000000000 +0000
@@ -60,13 +60,8 @@
/* Write the SEI as part of the first frame. */
if (x4->sei_size > 0 && nnal > 0) {
- if (size < x4->sei_size){
- av_log(ctx, AV_LOG_ERROR, "supplied buffer too small\n");
- return 0;
- }
memcpy(p, x4->sei, x4->sei_size);
p += x4->sei_size;
- size -= x4->sei_size;
x4->sei_size = 0;
}
@@ -78,13 +73,8 @@
memcpy(x4->sei, nals[i].p_payload, nals[i].i_payload);
continue;
}
- if (size < nals[i].i_payload){
- av_log(ctx, AV_LOG_ERROR, "supplied buffer too small\n");
- return p - buf;
- }
memcpy(p, nals[i].p_payload, nals[i].i_payload);
p += nals[i].i_payload;
- size -= nals[i].i_payload;
}
return p - buf;
[Previously noted Issue1586 BTW]
More information about the ffmpeg-devel
mailing list