[FFmpeg-cvslog] xface: Fix encoder crashes due to too small on-stack array.

Reimar Döffinger git at videolan.org
Sun Nov 23 06:53:32 CET 2014


ffmpeg | branch: master | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Sat Nov 22 23:12:51 2014 +0100| [6369a7b742bd64e7ded377fe79a5d723379ce08d] | committer: Reimar Döffinger

xface: Fix encoder crashes due to too small on-stack array.

Also add a FATE test.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6369a7b742bd64e7ded377fe79a5d723379ce08d
---

 libavcodec/xface.h             |    9 +++++----
 libavcodec/xfaceenc.c          |    3 +++
 libavformat/nut.c              |    1 +
 tests/fate/vcodec.mak          |    5 +++++
 tests/ref/vsynth/vsynth1-xface |    4 ++++
 tests/ref/vsynth/vsynth2-xface |    4 ++++
 tests/ref/vsynth/vsynth3-xface |    4 ++++
 7 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/libavcodec/xface.h b/libavcodec/xface.h
index cd59ba0..6fbe908 100644
--- a/libavcodec/xface.h
+++ b/libavcodec/xface.h
@@ -40,11 +40,12 @@
 
 /*
  * Image is encoded as a big integer, using characters from '~' to
- * '!', for a total of 92 symbols. In order to express 48x48=2304
- * bits, we need a total of 354 digits, as given by:
- * ceil(lg_92(2^2304)) = 354
+ * '!', for a total of 94 symbols. In order to express
+ * 48x48*2=8*XFACE_MAX_WORDS=4608
+ * bits, we need a total of 704 digits, as given by:
+ * ceil(lg_94(2^4608)) = 704
  */
-#define XFACE_MAX_DIGITS 354
+#define XFACE_MAX_DIGITS 704
 
 #define XFACE_BITSPERWORD 8
 #define XFACE_WORDCARRY (1 << XFACE_BITSPERWORD)
diff --git a/libavcodec/xfaceenc.c b/libavcodec/xfaceenc.c
index e213c9d..0ade302 100644
--- a/libavcodec/xfaceenc.c
+++ b/libavcodec/xfaceenc.c
@@ -27,6 +27,7 @@
 #include "xface.h"
 #include "avcodec.h"
 #include "internal.h"
+#include "libavutil/avassert.h"
 
 typedef struct XFaceContext {
     AVClass *class;
@@ -196,9 +197,11 @@ static int xface_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
 
     /* write the inverted big integer in b to intbuf */
     i = 0;
+    av_assert0(b.nb_words < XFACE_MAX_WORDS);
     while (b.nb_words) {
         uint8_t r;
         ff_big_div(&b, XFACE_PRINTS, &r);
+        av_assert0(i < sizeof(intbuf));
         intbuf[i++] = r + XFACE_FIRST_PRINT;
     }
 
diff --git a/libavformat/nut.c b/libavformat/nut.c
index 9224a96..86a0301 100644
--- a/libavformat/nut.c
+++ b/libavformat/nut.c
@@ -40,6 +40,7 @@ const AVCodecTag ff_nut_data_tags[] = {
 };
 
 const AVCodecTag ff_nut_video_tags[] = {
+    { AV_CODEC_ID_XFACE,            MKTAG('X', 'F', 'A', 'C') },
     { AV_CODEC_ID_VP9,              MKTAG('V', 'P', '9', '0') },
     { AV_CODEC_ID_RAWVIDEO,         MKTAG('R', 'G', 'B', 15 ) },
     { AV_CODEC_ID_RAWVIDEO,         MKTAG('B', 'G', 'R', 15 ) },
diff --git a/tests/fate/vcodec.mak b/tests/fate/vcodec.mak
index c715071..803edec 100644
--- a/tests/fate/vcodec.mak
+++ b/tests/fate/vcodec.mak
@@ -294,6 +294,11 @@ fate-vsynth%-wmv2:               ENCOPTS = -qscale 10
 FATE_VCODEC-$(call ENCDEC, RAWVIDEO, AVI) += yuv
 fate-vsynth%-yuv:                CODEC = rawvideo
 
+FATE_VCODEC-$(call ENCDEC, XFACE, NUT) += xface
+fate-vsynth%-xface:              ENCOPTS = -s 48x48 -sws_flags neighbor+bitexact
+fate-vsynth%-xface:              DECOPTS = -sws_flags neighbor+bitexact
+fate-vsynth%-xface:              FMT = nut
+
 FATE_VCODEC-$(call ENCDEC, YUV4, AVI) += yuv4
 
 FATE_VCODEC-$(call ENCDEC, Y41P, AVI) += y41p
diff --git a/tests/ref/vsynth/vsynth1-xface b/tests/ref/vsynth/vsynth1-xface
new file mode 100644
index 0000000..3b916c6
--- /dev/null
+++ b/tests/ref/vsynth/vsynth1-xface
@@ -0,0 +1,4 @@
+487c3e53249f7b9f16e04257295998de *tests/data/fate/vsynth1-xface.nut
+19746 tests/data/fate/vsynth1-xface.nut
+42d8261bb538b8789840ac085f7fc4d2 *tests/data/fate/vsynth1-xface.out.rawvideo
+stddev:  103.88 PSNR:  7.80 MAXDIFF:  254 bytes:  7603200/  7603200
diff --git a/tests/ref/vsynth/vsynth2-xface b/tests/ref/vsynth/vsynth2-xface
new file mode 100644
index 0000000..5f60d66
--- /dev/null
+++ b/tests/ref/vsynth/vsynth2-xface
@@ -0,0 +1,4 @@
+6a1a7b467eeab2795510e7dd1ca528ff *tests/data/fate/vsynth2-xface.nut
+17504 tests/data/fate/vsynth2-xface.nut
+6d87881d630439d02c7a97f468d67a1c *tests/data/fate/vsynth2-xface.out.rawvideo
+stddev:   99.01 PSNR:  8.22 MAXDIFF:  238 bytes:  7603200/  7603200
diff --git a/tests/ref/vsynth/vsynth3-xface b/tests/ref/vsynth/vsynth3-xface
new file mode 100644
index 0000000..f98a5c5
--- /dev/null
+++ b/tests/ref/vsynth/vsynth3-xface
@@ -0,0 +1,4 @@
+f399a6b312d0a2d873b8a3bc761c5eba *tests/data/fate/vsynth3-xface.nut
+15696 tests/data/fate/vsynth3-xface.nut
+eafdc027c9c36f96e71e91a5682a0d2e *tests/data/fate/vsynth3-xface.out.rawvideo
+stddev:   97.22 PSNR:  8.37 MAXDIFF:  236 bytes:    86700/    86700



More information about the ffmpeg-cvslog mailing list