[FFmpeg-devel] [PATCH 1/3] avfilter/vf_minterpolate: Reject too small dimensions

Thu Oct 8 15:55:01 EEST 2020

Andreas Rheinhardt:
> The latter code relies upon the dimensions to be not too small;
> otherwise one will call av_clip() with min > max lateron which aborts
> in case ASSERT_LEVEL is >= 2 or one will get a nonsense result that may
> lead to a heap-buffer-overflow/underflow. The latter has happened in
> ticket #8248 which this commit fixes.
> 
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
> ---
>  libavfilter/vf_minterpolate.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c
> index c9ce80420d..e1fe5e32b5 100644
> --- a/libavfilter/vf_minterpolate.c
> +++ b/libavfilter/vf_minterpolate.c
> @@ -363,6 +363,11 @@ static int config_input(AVFilterLink *inlink)
>      }
>  
>      if (mi_ctx->mi_mode == MI_MODE_MCI) {
> +        if (mi_ctx->b_width < 2 || mi_ctx->b_height < 2) {
> +            av_log(inlink->dst, AV_LOG_ERROR, "Height or width < %d\n",
> +                   2 * mi_ctx->mb_size);
> +            return AVERROR(EINVAL);
> +        }
>          mi_ctx->pixel_mvs = av_mallocz_array(width * height, sizeof(PixelMVS));
>          mi_ctx->pixel_weights = av_mallocz_array(width * height, sizeof(PixelWeights));
>          mi_ctx->pixel_refs = av_mallocz_array(width * height, sizeof(PixelRefs));
> 

Will apply this patchset tomorrow unless there are objections.

- Andreas