[FFmpeg-devel] [PATCH] lavfi/alphaextract: fix invalid buffer access in case of negative YUV linesize
Stefano Sabatini
stefasab at gmail.com
Fri Dec 7 00:06:13 CET 2012
Fix crash.
---
libavfilter/vf_alphaextract.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/libavfilter/vf_alphaextract.c b/libavfilter/vf_alphaextract.c
index 766cc8c..94da122 100644
--- a/libavfilter/vf_alphaextract.c
+++ b/libavfilter/vf_alphaextract.c
@@ -85,14 +85,22 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *cur_buf)
}
} else if (cur_buf->linesize[A] == out_buf->linesize[Y]) {
const int linesize = cur_buf->linesize[A];
- memcpy(out_buf->data[Y], cur_buf->data[A], linesize * inlink->h);
+ const int blocksize = abs(linesize)*(inlink->h);
+ if (linesize < 0)
+ memcpy(out_buf->data[Y]-blocksize+linesize,
+ cur_buf->data[A]-blocksize+linesize*(inlink->h-1), blocksize);
+ else
+ memcpy(out_buf->data[Y], cur_buf->data[A], blocksize);
} else {
- const int linesize = FFMIN(out_buf->linesize[Y], cur_buf->linesize[A]);
+ const int linesize = abs(FFMIN(out_buf->linesize[Y], cur_buf->linesize[A]));
+ uint8_t *pout = out_buf->data[Y];
+ uint8_t *pin = cur_buf->data[A];
int y;
+
for (y = 0; y < inlink->h; y++) {
- memcpy(out_buf->data[Y] + y * out_buf->linesize[Y],
- cur_buf->data[A] + y * cur_buf->linesize[A],
- linesize);
+ memcpy(pout, pin, linesize);
+ pout += out_buf->linesize[Y];
+ pin += cur_buf->linesize[A];
}
}
--
1.7.9.5
More information about the ffmpeg-devel
mailing list