[FFmpeg-devel] [PATCH] avfilter/vf_sr: fix read out of bounds

Pedro Arthur bygrandao at gmail.com
Tue Sep 18 17:00:08 EEST 2018 

Hi,

2018-09-17 0:43 GMT-03:00 Zhao Zhili <quinkblack at foxmail.com>:

> Ping for review.
>
> On 2018年09月13日 15:58, Zhao Zhili wrote:
>
>> ---
>>   libavfilter/vf_sr.c | 9 ++++++---
>>   1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/libavfilter/vf_sr.c b/libavfilter/vf_sr.c
>> index 5ad1baa..bc9d186 100644
>> --- a/libavfilter/vf_sr.c
>> +++ b/libavfilter/vf_sr.c
>> @@ -239,7 +239,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame
>> *in)
>>                     0, sr_context->sws_slice_h, out->data, out->linesize);
>>             sws_scale(sr_context->sws_contexts[1], (const uint8_t
>> **)out->data, out->linesize,
>> -                  0, out->height, (uint8_t *
>> const*)(&sr_context->input.data), &sr_context->sws_input_linesize);
>> +                  0, out->height, (uint8_t *
>> const*)(&sr_context->input.data),
>> +                  (const int [4]){sr_context->sws_input_linesize, 0, 0,
>> 0});
>>           break;
>>       case ESPCN:
>>           if (sr_context->sws_contexts[0]){
>> @@ -250,7 +251,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame
>> *in)
>>           }
>>             sws_scale(sr_context->sws_contexts[1], (const uint8_t
>> **)in->data, in->linesize,
>> -                  0, in->height, (uint8_t *
>> const*)(&sr_context->input.data), &sr_context->sws_input_linesize);
>> +                  0, in->height, (uint8_t *
>> const*)(&sr_context->input.data),
>> +                  (const int [4]){sr_context->sws_input_linesize, 0, 0,
>> 0});
>>       }
>>       av_frame_free(&in);
>>   @@ -260,7 +262,8 @@ static int filter_frame(AVFilterLink *inlink,
>> AVFrame *in)
>>           return AVERROR(EIO);
>>       }
>>   -    sws_scale(sr_context->sws_contexts[2], (const uint8_t
>> **)(&sr_context->output.data), &sr_context->sws_output_linesize,
>> +    sws_scale(sr_context->sws_contexts[2], (const uint8_t
>> **)(&sr_context->output.data),
>> +              (const int [4]){sr_context->sws_output_linesize, 0, 0, 0},
>>                 0, out->height, (uint8_t * const*)out->data,
>> out->linesize);
>>         return ff_filter_frame(outlink, out);
>>
>
> The patch does not apply against head, but the fix is correct.
Could you make a new patch?

Thanks,
Pedro.

More information about the ffmpeg-devel mailing list