[FFmpeg-devel] [PATCH] libavfilter:vf_thumbnail.c: Fix bug in buffer handling for RGB width
Clément Bœsch
u at pkh.me
Thu Feb 19 08:23:39 CET 2015
On Wed, Feb 18, 2015 at 04:09:39PM -0800, Chris Kennedy wrote:
> On Wed, Feb 18, 2015 at 2:34 PM, Clément Bœsch <u at pkh.me> wrote:
>
> > On Wed, Feb 18, 2015 at 02:22:53PM -0800, Chris Kennedy wrote:
> > > This is a pretty obvious bug we caught in the thumbnail filter that is
> > very
> > > subtle and hardly ever shows issues except for certain videos. Yet it
> > can
> > > be seen how it is blatantly going out of bounds by basing the width
> > > increment off of i*3 that resulted in odd crashes in rare cases.
> > >
> > >
> > > Thanks,
> > > Chris
> > > --
> > > ---
> > > Chris Kennedy
> > > Video Engineer
> > > CrunchyRoll - http://www.crunchyroll.com
> >
> > > diff --git a/libavfilter/vf_thumbnail.c b/libavfilter/vf_thumbnail.c
> > > index 1883154..a1272a0 100644
> > > --- a/libavfilter/vf_thumbnail.c
> > > +++ b/libavfilter/vf_thumbnail.c
> > > @@ -142,7 +142,8 @@ static int filter_frame(AVFilterLink *inlink,
> > AVFrame *frame)
> > >
> > > // update current frame RGB histogram
> > > for (j = 0; j < inlink->h; j++) {
> > > - for (i = 0; i < inlink->w; i++) {
> > > + // last third of image, walk every 3 bytes/pixels reading RGB
> > > + for (i = 0; i < inlink->w/3; i++) {
> >
> > width is expressed in pixels, not bytes.
> >
>
> Right, this part seems tricky, yet it doesn't make sense to walk the entire
> width with var i and then walk it by 3's up to the very last increment.
>
well it's width x 3 components, so I'm not sure I get your problem.
>
> >
> > How to reproduce the issue or crash?
> >
> > > hist[0*256 + p[i*3 ]]++;
> > > hist[1*256 + p[i*3 + 1]]++;
> > > hist[2*256 + p[i*3 + 2]]++;
> > >
> >
> >
> The source is copyrighted, and it happens on certain types of encodings it
> seems, and only 1 out of every 250 or some really low number. I will work
> on getting a reproducible case.
>
valgrind doesn't give you hints? Or you can't get a coredump & backtrace?
[...]
--
Clément B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150219/f798114a/attachment.asc>
More information about the ffmpeg-devel
mailing list