[FFmpeg-devel] [PATCH] avcodec/pngenc: fix invalid read in sub filter.
Clément Bœsch
u at pkh.me
Sun Feb 23 20:17:08 CET 2014
On Sat, Feb 22, 2014 at 10:36:40AM +0100, Michael Niedermayer wrote:
> On Fri, Feb 21, 2014 at 02:20:25PM +0100, Clément Bœsch wrote:
> > First pixel was computed based on invalid address read, and then
> > corrected by the following memcpy. After the commit, it's not computed
> > anymore, and memcpy fills the appropriate area.
> >
> > Fixes Ticket #3387
> > ---
> > libavcodec/pngenc.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c
> > index bf61be1..7fb511a 100644
> > --- a/libavcodec/pngenc.c
> > +++ b/libavcodec/pngenc.c
> > @@ -123,7 +123,7 @@ static void png_filter_row(DSPContext *dsp, uint8_t *dst, int filter_type,
> > memcpy(dst, src, size);
> > break;
> > case PNG_FILTER_VALUE_SUB:
> > - dsp->diff_bytes(dst, src, src-bpp, size);
> > + dsp->diff_bytes(dst + bpp, src + bpp, src, size - bpp);
>
> dsputil.h specifies that dst&src1 need 16byte align
> void (*diff_bytes)(uint8_t *dst/*align 16*/, const uint8_t *src1/*align 16*/, const uint8_t *src2/*align 1*/,int w);
>
> also see sub_left_prediction() in huffyuvenc
>
Mmh. Would the attached patch be more reasonable then?
--
Clément B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-avcodec-pngenc-fix-invalid-read-in-sub-filter.patch
Type: text/x-diff
Size: 1801 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140223/447b370a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140223/447b370a/attachment.asc>
More information about the ffmpeg-devel
mailing list