[FFmpeg-devel] [PATCH 2/4] Implement ocv_dilate libopencv filter wrapper.

Stefano Sabatini stefano.sabatini-lala
Mon Nov 15 15:34:28 CET 2010 

On date Friday 2010-11-12 23:10:08 +0100, Michael Niedermayer encoded:
> On Wed, Nov 10, 2010 at 11:14:43PM +0100, Stefano Sabatini wrote:
> > On date Saturday 2010-10-30 12:58:09 +0200, Michael Niedermayer encoded:
> > > On Sun, Oct 10, 2010 at 06:50:00PM +0200, Stefano Sabatini wrote:
> > [...]
> > > >  vf_libopencv.c |  131 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > >  1 file changed, 131 insertions(+)
> > > > 203ad47ad53a8be3e06fbad25345db7e34c2296c  0002-Add-dilate-libopencv-filter.patch
> > > > From c182720ef3042269cb580f4bc1cd3d27a396ddcf Mon Sep 17 00:00:00 2001
> > > > From: Stefano Sabatini <stefano.sabatini-lala at poste.it>
> > > > Date: Sat, 2 Oct 2010 17:03:38 +0200
> > > > Subject: [PATCH 2/3] Add dilate libopencv filter.
> > > > 
> > > > ---
> > > >  libavfilter/vf_libopencv.c |  131 ++++++++++++++++++++++++++++++++++++++++++++
> > > >  1 files changed, 131 insertions(+), 0 deletions(-)
> > > > 
> > > > diff --git a/libavfilter/vf_libopencv.c b/libavfilter/vf_libopencv.c
> > > > index 0e3da4d..4f787ad 100644
> > > > --- a/libavfilter/vf_libopencv.c
> > > > +++ b/libavfilter/vf_libopencv.c
> > > > @@ -127,6 +127,136 @@ static void smooth_end_frame_filter(AVFilterContext *ctx, IplImage *inimg, IplIm
> > > >      cvSmooth(inimg, outimg, smooth->type, smooth->param1, smooth->param2, smooth->param3, smooth->param4);
> > > >  }
> > > >
> > > 
> > > > +static int read_shape_from_file(int *cols, int *rows, int **values, const char *filename, void *log_ctx)
> > > > +{
> > > > +    char *p, *buf;
> > > > +    size_t size;
> > > > +    int i, j, w;
> > > > +    FILE *f = fopen(filename, "rb");
> > > 
> > > Should use URLProtocol
> > 
> > I don't want to add a dependency on libavformat just for reading a
> > file.
> 
> i see your point, so if you prefer it that way ...
> 
> [...]
> >  vf_libopencv.c |  158 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 158 insertions(+)
> > 7c4456cf4858535dfde85b4515ae3e06e33fd518  0002-Add-dilate-libopencv-filter.patch
> > From 2d1ca6f015b6cc7f5c5c5994443b86039bbb7737 Mon Sep 17 00:00:00 2001
> > From: Stefano Sabatini <stefano.sabatini-lala at poste.it>
> > Date: Sat, 2 Oct 2010 17:03:38 +0200
> > Subject: [PATCH 2/4] Add dilate libopencv filter.
> > 
> > ---
> >  libavfilter/vf_libopencv.c |  158 ++++++++++++++++++++++++++++++++++++++++++++
> >  1 files changed, 158 insertions(+), 0 deletions(-)
> > 
> > diff --git a/libavfilter/vf_libopencv.c b/libavfilter/vf_libopencv.c
> > index 0e3da4d..48e9dc2 100644
> > --- a/libavfilter/vf_libopencv.c
> > +++ b/libavfilter/vf_libopencv.c
> > @@ -23,6 +23,8 @@
> >   * libopencv wrapper functions
> >   */
> >  
> > +/* #define DEBUG */
> > +
> >  #include <opencv/cv.h>
> >  #include <opencv/cxtypes.h>
> >  #include "avfilter.h"
> > @@ -127,6 +129,161 @@ static void smooth_end_frame_filter(AVFilterContext *ctx, IplImage *inimg, IplIm
> >      cvSmooth(inimg, outimg, smooth->type, smooth->param1, smooth->param2, smooth->param3, smooth->param4);
> >  }
> >  
> > +static int read_shape_from_file(int *cols, int *rows, int **values, const char *filename, void *log_ctx)
> > +{
> > +    char *p, *buf;
> > +    size_t size;
> > +    int i, j, w;
> > +    FILE *file = fopen(filename, "rb");
> > +
> > +    *cols = *rows = 0;
> > +
> > +    if (!file) {
> > +        av_log(log_ctx, AV_LOG_ERROR, "Cannot read file '%s': %s\n", filename, strerror(errno));
> > +        return AVERROR(errno);
> > +    }
> 
> > +    fseek(file, 0, SEEK_END);
> > +    size = ftell(file);
> > +    fseek(file, 0, SEEK_SET);
> 
> we probably want this av_fsize() in libavutil
> 
> 
> > +    buf = av_malloc(size + 1);
> > +    if (!buf) {
> > +        fclose(file);
> > +        return AVERROR(ENOMEM);
> > +    }
> > +    fread(buf, 1, size, file);
> 
> this looks exploitable or will at least crash

I don't know what you're talking about. Note that this is the same
code as cmdutils.c:read_file.

> > +    buf[size++] = 0;
> > +    fclose(file);
> > +
> > +    /* prescan file to get the number of lines and the maximum width */
> > +    w = 0;
> > +    for (i = 0; i < size; i++) {
> > +        if (buf[i] == '\n') {
> > +            if (++(*rows) <= 0) {
> > +                av_log(log_ctx, AV_LOG_ERROR, "Overflow on the number of rows in the file\n");
> > +                return AVERROR(EINVAL);
> > +            }
> > +            *cols = FFMAX(*cols, w);
> > +            w = 0;
> > +        } else if (++w <= 0) {
> > +            av_log(log_ctx, AV_LOG_ERROR, "Overflow on the number of columns in the file\n");
> > +            return AVERROR(EINVAL);
> > +        }
> 
> these tests are useless signed overflow is undefined, any good compiler should
> remove these tests and you still get the overflow and whatever happens without
> them triggering

Is:
            if (*rows == INT_MAX) {
                av_log(log_ctx, AV_LOG_ERROR, "Overflow on the number of rows in the file\n");
                return AVERROR(EINVAL);
            }
            ++(*rows);
OK?

[...]
> > +    if (*rows > sizeof(int) * INT_MAX / *cols) {
> 
> 4*INT_MAX
> is this a joke?

changed to something saner:
    if (*rows > (INT_MAX / (sizeof(int)) / *cols)) {
        av_log(log_ctx, AV_LOG_ERROR, "File with size %dx%d is too big\n",
               *rows, *cols);
        return AVERROR_INVALIDDATA;
    }
    if (!(*values = av_mallocz(sizeof(int) * *rows * *cols)))
        ...

[...]
-- 
FFmpeg = Formidable and Fanciful MultiPurpose Extreme Guru

More information about the ffmpeg-devel mailing list