[MPlayer-dev-eng] [patch] vf_menu, dvdnav: fix sigsegv when mpi->heigth > mpi->h

Yuriy Kaminskiy yumkam at mail.ru
Tue Oct 12 20:30:25 CEST 2010 

When mpi->height > mpi->h (== dmpi->height), and thus mpi->chroma_height >
dmpi->chroma_height, copy_mpi writes past allocated memory (guess, similar
problem may be with w != width, and there may be problems with non-zero x/y, but
I have not tested).

I'm not sure if this best solution, and if this is *complete* solution (I've
looked only for alloc_mpi callsites), but attached patch fixed segv for me [only
vf_menu path runtime-checked].

As alloc_mpi used only in these two places, maybe it make sense to replace it
with clone_mpi that does right things with width/height/w/h/...

$ ffmpeg -i _vidcdi.mpg -s 320x240 -vcodec mjpeg out.avi
[...]
$ valgrind --db-attach=yes mplayer -nocache -vf-clr -vo null -menu foobar.avi
MPlayer SVN-r32418+lavc-mt-480a82d-4.1.2 (C) 2000-2010 MPlayer Team
...
==17068== Invalid write of size 8
==17068==    at 0x8207CEA: fast_memcpy (in mplayer-broken)
==17068==  Address 0x6b6f0b0 is 0 bytes after a block of size 116,160 alloc'd
==17068==    at 0x401CBB2: memalign (vg_replace_malloc.c:532)
==17068==    by 0x401CC5F: posix_memalign (vg_replace_malloc.c:660)
==17068==    by 0x86FF64F: av_malloc (in mplayer-broken)
...
(gdb) bt
#4  0x0812aa97 in copy_mpi (dmpi=0x60c46d8, mpi=0x60c4628)
    at ./libvo/fastmemcpy.h:85
#5  0x080c43ab in put_image (vf=0x5f81b40, mpi=0x60c4628,
    pts=0.066666666666666666) at libmenu/vf_menu.c:166
#6  0x08128e7e in filter_video ()
(gdb) p *mpi
 {flags = 49944, type = 3 '\003', number = 0, bpp = 12 '\f',
  imgfmt = 842094169, width = 320, height = 256, x = 0, y = 0, w = 320,
  h = 240, planes = {[...]}, stride = {320, 160, 160, 320},
  qscale = 0x5f94480 '\005' <repeats 20 times>, qstride = 0, pict_type = 1,
  fields = 1, qscale_type = 0, num_planes = 3, chroma_width = 160,
  chroma_height = 128, chroma_x_shift = 1, chroma_y_shift = 1,
  usage_count = 1, priv = 0x0}
(gdb) p *dmpi
 {flags = 17152, type = 0 '\0', number = 0, bpp = 12 '\f',
  imgfmt = 842094169, width = 320, height = 240, x = 0, y = 0, w = 320,
  h = 240, planes = {[...]}, stride = {320, 160,
    160, 320}, qscale = 0x0, qstride = 0, pict_type = 0, fields = 0,
  qscale_type = 0, num_planes = 3, chroma_width = 160, chroma_height = 120,
  chroma_x_shift = 1, chroma_y_shift = 1, usage_count = 0, priv = 0x0}
===
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-mpi-height-ne-h.patch
Type: text/x-diff
Size: 1489 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20101012/b60eb0de/attachment.patch>

More information about the MPlayer-dev-eng mailing list