[FFmpeg-devel] [PATCH] avcodec/pngenc: fix invalid read in sub filter.

Clément Bœsch u at pkh.me
Sun Feb 23 20:17:08 CET 2014


On Sat, Feb 22, 2014 at 10:36:40AM +0100, Michael Niedermayer wrote:
> On Fri, Feb 21, 2014 at 02:20:25PM +0100, Clément Bœsch wrote:
> > First pixel was computed based on invalid address read, and then
> > corrected by the following memcpy. After the commit, it's not computed
> > anymore, and memcpy fills the appropriate area.
> > 
> > Fixes Ticket #3387
> > ---
> >  libavcodec/pngenc.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c
> > index bf61be1..7fb511a 100644
> > --- a/libavcodec/pngenc.c
> > +++ b/libavcodec/pngenc.c
> > @@ -123,7 +123,7 @@ static void png_filter_row(DSPContext *dsp, uint8_t *dst, int filter_type,
> >          memcpy(dst, src, size);
> >          break;
> >      case PNG_FILTER_VALUE_SUB:
> > -        dsp->diff_bytes(dst, src, src-bpp, size);
> > +        dsp->diff_bytes(dst + bpp, src + bpp, src, size - bpp);
> 
> dsputil.h specifies that dst&src1 need 16byte align
> void (*diff_bytes)(uint8_t *dst/*align 16*/, const uint8_t *src1/*align 16*/, const uint8_t *src2/*align 1*/,int w);
> 
> also see sub_left_prediction() in huffyuvenc
> 

Mmh. Would the attached patch be more reasonable then?

-- 
Clément B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-avcodec-pngenc-fix-invalid-read-in-sub-filter.patch
Type: text/x-diff
Size: 1801 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140223/447b370a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140223/447b370a/attachment.asc>


More information about the ffmpeg-devel mailing list