[FFmpeg-devel] [PATCH] lavfi/smptebars: fix invalid writes

Thu Apr 4 21:02:46 CEST 2013

On date Thursday 2013-04-04 14:36:52 +0000, Paul B Mahol encoded:
> Signed-off-by: Paul B Mahol <onemda at gmail.com>
> ---
>  libavfilter/vsrc_testsrc.c | 22 +++++++++++-----------
>  1 file changed, 11 insertions(+), 11 deletions(-)
> 
> diff --git a/libavfilter/vsrc_testsrc.c b/libavfilter/vsrc_testsrc.c
> index 9317f82..5b1cefc 100644
> --- a/libavfilter/vsrc_testsrc.c
> +++ b/libavfilter/vsrc_testsrc.c
> @@ -721,25 +721,25 @@ static void smptebars_fill_picture(AVFilterContext *ctx, AVFrame *picref)
>      for (i = 0; i < 7; i++) {
>          DRAW_COLOR(rainbow[i], x, 0,   FFMIN(r_w, test->w - x), r_h);
>          DRAW_COLOR(wobnair[i], x, r_h, FFMIN(r_w, test->w - x), w_h);
> -        x += r_w;
> +        x = FFMIN(test->w, x + r_w);
>      }
>      x = 0;
>      DRAW_COLOR(i_pixel, x, r_h + w_h, p_w, p_h);
> -    x += p_w;
> +    x = FFMIN(test->w, x + p_w);
>      DRAW_COLOR(white, x, r_h + w_h, p_w, p_h);
> -    x += p_w;
> +    x = FFMIN(test->w, x + p_w);
>      DRAW_COLOR(q_pixel, x, r_h + w_h, p_w, p_h);
> -    x += p_w;
> +    x = FFMIN(test->w, x + p_w);
>      tmp = FFALIGN(5 * r_w - x,  1 << pixdesc->log2_chroma_w);
>      DRAW_COLOR(black, x, r_h + w_h, tmp, p_h);
> -    x += tmp;
> +    x = FFMIN(test->w, x + tmp);
>      tmp = FFALIGN(r_w / 3,  1 << pixdesc->log2_chroma_w);
> -    DRAW_COLOR(neg4ire, x, r_h + w_h, tmp, p_h);
> -    x += tmp;
> -    DRAW_COLOR(black, x, r_h + w_h, tmp, p_h);
> -    x += tmp;
> -    DRAW_COLOR(pos4ire, x, r_h + w_h, tmp, p_h);
> -    x += tmp;
> +    DRAW_COLOR(neg4ire, x, r_h + w_h, FFMIN(tmp, test->w - x), p_h);
> +    x = FFMIN(test->w, x + tmp);
> +    DRAW_COLOR(black, x, r_h + w_h, FFMIN(tmp, test->w - x), p_h);
> +    x = FFMIN(test->w, x + tmp);
> +    DRAW_COLOR(pos4ire, x, r_h + w_h, FFMIN(tmp, test->w - x), p_h);
> +    x = FFMIN(test->w, x + tmp);
>      DRAW_COLOR(black, x, r_h + w_h, test->w - x, p_h);

How does this happen?

Also, shouldn't you check for the height values as well?
-- 
FFmpeg = Fanciful and Fast Merciful Political Egregious Gorilla