[FFmpeg-devel] [PATCH 09/15] avcodec/ffv1enc: Fix out-of-bounds-array access
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Wed Sep 25 01:03:04 EEST 2019
libavcodec/ffv1enc.c accessed an array of uint8_t [32] via array[0][j]
in order to loop over all the uint8_t in this array of arrays. Of course
this implied an out-of-bounds access for array[0] and UBSan complained
about this. So perform the access via an ordinary pointer to uint8_t.
This affected the FATE-tests vsynth1-ffv1, vsynth1-ffv1-v3-yuv420p,
vsynth1-ffv1-v3-yuv422p10, vsynth1-ffv1-v3-yuv444p16,
vsynth1-ffv1-v3-bgr0, vsynth1-ffv1-ffv1-v3-rgb48 as well as the
corresponding vsynth2-*, vsynth3-* and the vsynth_lena-* tests.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
---
libavcodec/ffv1enc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c
index 1bf9663053..5eb439135c 100644
--- a/libavcodec/ffv1enc.c
+++ b/libavcodec/ffv1enc.c
@@ -429,8 +429,9 @@ static int write_extradata(FFV1Context *f)
for (i = 0; i < f->quant_table_count; i++) {
if (f->initial_states[i]) {
+ uint8_t *initial_state = &f->initial_states[i][0][0];
for (j = 0; j < f->context_count[i] * CONTEXT_SIZE; j++)
- if (f->initial_states[i][0][j] != 128)
+ if (initial_state[j] != 128)
break;
} else {
j = f->context_count[i] * CONTEXT_SIZE;
--
2.20.1
More information about the ffmpeg-devel
mailing list