[FFmpeg-devel] [PATCH 13/16] vqavideo: check for out of bound reads.

Michael Niedermayer michaelni at gmx.at
Sun Oct 9 03:18:40 CEST 2011 

On Sun, Oct 09, 2011 at 01:52:08AM +0200, Reimar Döffinger wrote:
[...]
> Because I won't remember it (there's still that piece of code that
> should be using FFALIGN I keep forgetting about and no longer even
> remember where it is) and it just won't get done.

is it amongth the ones below ? :)

libavcodec/4xm.c:444:       || (((const char*)f->wordstream - (const char*)buf + 2)&~2) != extra + bitstream_size + wordstream_size
libavcodec/4xm.c:445:       || (((const char*)f->bytestream - (const char*)buf + 3)&~3) != extra + bitstream_size + wordstream_size + bytestream_size)
libavcodec/4xm.c:448:            -(((const char*)f->bytestream - (const char*)buf + 3)&~3) + (extra + bitstream_size + wordstream_size + bytestream_size),
libavcodec/4xm.c:449:            -(((const char*)f->wordstream - (const char*)buf + 2)&~2) + (extra + bitstream_size + wordstream_size)
libavcodec/aasc.c:80:        stride = (avctx->width * 3 + 3) & ~3;
libavcodec/ansi.c:345:                count = ((i + 8) & ~7) - i;
libavcodec/apedec.c:817:        s->data = av_realloc(s->data, (buf_size + 3) & ~3);
libavcodec/bmp.c:210:    n = ((avctx->width * depth) / 8 + 3) & ~3;
libavcodec/cinepak.c:400:    s->width = (avctx->width + 3) & ~3;
libavcodec/cinepak.c:401:    s->height = (avctx->height + 3) & ~3;
libavcodec/dnxhdenc.c:607:        ctx->slice_size[mb_y] = (ctx->slice_size[mb_y]+31)&~31;
libavcodec/dnxhdenc.c:693:            bits = (bits+31)&~31; // padding
libavcodec/dnxhdenc.c:751:            bits = (bits+31)&~31; // padding
libavcodec/eatgv.c:172:    mvbits = (num_mvs*2*10+31) & ~31;
libavcodec/imgconvert.c:341:        memcpy((unsigned char *)(((size_t)dest + 3) & ~3), src->data[1], 256 * 4);
libavcodec/indeo3.c:102:    int luma_width    = (s->width           + 3) & ~3,
libavcodec/indeo3.c:103:        luma_height   = (s->height          + 3) & ~3,
libavcodec/indeo3.c:104:        chroma_width  = ((luma_width  >> 2) + 3) & ~3,
libavcodec/indeo3.c:105:        chroma_height = ((luma_height >> 2) + 3) & ~3,
libavcodec/motionpixels.c:55:    int w4 = (avctx->width  + 3) & ~3;
libavcodec/motionpixels.c:56:    int h4 = (avctx->height + 3) & ~3;
libavcodec/motionpixels.c:184:                    for (i = (x + 3) & ~3; i < x + w; i += 4) {
libavcodec/nuv.c:110:    width = (width + 1) & ~1;
libavcodec/nuv.c:111:    height = (height + 1) & ~1;
libavcodec/pcxenc.c:145:    line_bytes = (line_bytes + 1) & ~1;
libavcodec/qdm2.c:1595:    for (i = 0; i < ((q->fft_frame_size + 15) & ~15); i++)
libavcodec/rawdec.c:109:        context->length = avpicture_get_size(avctx->pix_fmt, (avctx->width+3)&~3, avctx->height);
libavcodec/rawdec.c:203:        ((frame->linesize[0]+3)&~3)*avctx->height <= buf_size)
libavcodec/rawdec.c:204:        frame->linesize[0] = (frame->linesize[0]+3)&~3;
libavcodec/svq1dec.c:757:    s->width = (avctx->width+3)&~3;
libavcodec/svq1dec.c:758:    s->height = (avctx->height+3)&~3;
libavcodec/wmadec.c:893:        pos = get_bits_count(&s->gb) + ((bit_offset + 4 + 4 + s->byte_offset_bits + 3) & ~7);
libavcodec/zmbv.c:97:    src += ((c->bx * c->by * 2 + 3) & ~3);
libavcodec/zmbv.c:168:    src += ((c->bx * c->by * 2 + 3) & ~3);
libavcodec/zmbv.c:244:    src += ((c->bx * c->by * 2 + 3) & ~3);
libavcodec/zmbv.c:324:    src += ((c->bx * c->by * 2 + 3) & ~3);
libavcodec/zmbvenc.c:189:        memset(c->work_buf + work_size, 0, (bw * bh * 2 + 3) & ~3);
libavcodec/zmbvenc.c:190:        work_size += (bw * bh * 2 + 3) & ~3;
libavfilter/vf_cropdetect.c:163:        x = (cd->x1+1) & ~1;
libavfilter/vf_cropdetect.c:164:        y = (cd->y1+1) & ~1;
libavfilter/vf_cropdetect.c:178:        x += (shrink_by/2 + 1) & ~1;
libavfilter/vf_cropdetect.c:182:        y += (shrink_by/2 + 1) & ~1;
libavfilter/vf_gradfun.c:130:    gf->radius = av_clip((radius + 1) & ~1, 4, 32);
libavfilter/vf_gradfun.c:180:    gf->chroma_r = av_clip(((((gf->radius >> hsub) + (gf->radius >> vsub)) / 2 ) + 1) & ~1, 4, 32);
libavformat/ape.c:299:        ape->frames[i].size = (ape->frames[i].size + 3) & ~3;
libavformat/mpc.c:143:    size = ((size2 + curbits + 31) & ~31) >> 3;
libavformat/rtpdec_qt.c:158:        avio_skip(&pb, ((avio_tell(&pb) + 3) & ~3) - avio_tell(&pb));
libavformat/soxenc.c:54:    comment_size = (comment_len + 7) & ~7;
libavformat/tmv.c:133:            ((tmv->video_chunk_size + tmv->audio_chunk_size + 511) & ~511) -
libavutil/imgutils.c:120:        size[0] = (size[0] + 3) & ~3;
libavformat/wtv.h:31:#define WTV_PAD8(x) (((x) + 7) & ~7)

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Avoid a single point of failure, be that a person or equipment.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20111009/0f69cc8d/attachment.asc>

More information about the ffmpeg-devel mailing list