[FFmpeg-devel] [PATCH 2/2] avdevice/libopenh264dec: Increase array sizes, fix stack-buffer overread

[Linjie Fu]

On Mon, Dec 6, 2021 at 7:37 PM Andreas Rheinhardt <
andreas.rheinhardt at outlook.com> wrote:

> av_image_copy() expects an array of four pointers and linesizes
> according to its declaration; it currently only pointers that are
> actually in use (depending upon the pixel format), but this might
> change at any time. It has already happened for the linesizes in
> d7bc52bf456deba0f32d9fe5c288ec441f1ebef5 and so increasing their
> array fixes a stack-buffer overread.
>
> This fixes a -Wstringop-overflow= and -Wstringop-overread warning
> from GCC 11.2.
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
> ---
>  libavcodec/libopenh264dec.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/libopenh264dec.c b/libavcodec/libopenh264dec.c
> index ea70a8e143..7f5e85402a 100644
> --- a/libavcodec/libopenh264dec.c
> +++ b/libavcodec/libopenh264dec.c
> @@ -91,8 +91,8 @@ static int svc_decode_frame(AVCodecContext *avctx, void
> *data,
>  {
>      SVCContext *s = avctx->priv_data;
>      SBufferInfo info = { 0 };
> -    uint8_t* ptrs[3];
> -    int ret, linesize[3];
> +    uint8_t *ptrs[4] = { NULL };
> +    int ret, linesize[4];
>      AVFrame *avframe = data;
>      DECODING_STATE state;
>  #if OPENH264_VER_AT_LEAST(1, 7)
> @@ -140,6 +140,7 @@ static int svc_decode_frame(AVCodecContext *avctx,
> void *data,
>
>      linesize[0] = info.UsrData.sSystemBuffer.iStride[0];
>      linesize[1] = linesize[2] = info.UsrData.sSystemBuffer.iStride[1];
> +    linesize[3] = 0;
>      av_image_copy(avframe->data, avframe->linesize, (const uint8_t **)
> ptrs, linesize, avctx->pix_fmt, avctx->width, avctx->height);
>
>      avframe->pts     = info.uiOutYuvTimeStamp;
> --
> 2.32.0
>
 lgtm. (guess the title is referring to  "avcodec/libopenh264dec: xxx" ?)