[FFmpeg-devel] [PATCH] rawdec: allocate a buffer in the appropriate size in the copy case.
Hendrik Leppkes
h.leppkes at gmail.com
Sun Jun 16 08:28:33 CEST 2013
On Sun, Jun 16, 2013 at 12:41 AM, Michael Niedermayer <michaelni at gmx.at> wrote:
> On Sat, Jun 15, 2013 at 03:47:42PM +0200, Hendrik Leppkes wrote:
>> Otherwise the created buffer can be smaller than buf_size, which results
>> in buffer overreads if the original image has extra padding on every line.
>> ---
>> libavcodec/rawdec.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
>> index 4699242..c9b6802 100644
>> --- a/libavcodec/rawdec.c
>> +++ b/libavcodec/rawdec.c
>> @@ -190,7 +190,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
>> return res;
>>
>> if (need_copy)
>> - frame->buf[0] = av_buffer_alloc(context->frame_size);
>> + frame->buf[0] = av_buffer_alloc(buf_size);
>> else
>> frame->buf[0] = av_buffer_ref(avpkt->buf);
>> if (!frame->buf[0])
>
> this doesnt look safe, i think the code can write more than buf_size
> into this
>
Looking at the 2/4bpp case, i think it should be FFMAX(buf_size,
context->frame_size) instead, because the 2/4bpp case is the only case
where the input data isn't copied offer without modification.
Does this sound right?
More information about the ffmpeg-devel
mailing list