[MPlayer-dev-eng] [PATCH] spudec: fix heap overflow in pal2gray_alpha()
Matthijs van Otterdijk
matko at pievolution.org
Tue Jul 1 15:45:31 CEST 2014
sub/spudec.c:spudec_packet_fill() optionally draws rectangles with an x and
y offset, which is used by sub/av_sub.c:avsub_to_spudec() in case of
multiple rects. The way this is done now causes a heap overflow in
spudec.c:pal2gray_alpha().
spudec_packet_fill() offsets img and aimg by x before calling
pal2gray_alpha(). pal2gray_alpha() writes dst_stride pixels for each line
in the rect. In case the bottom rectangle (and therefore the rectangle
situated at the end of the packet buffer) has an x offset, this will cause
x 0s to be written past the end of the packet buffer.
The attached patch fixes this by making pal2gray_alpha() handle the x
offset, rather than spudec_packet_fill().
- Matthijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_spudec_heap_overflow.patch
Type: text/x-patch
Size: 1860 bytes
Desc: not available
URL: <https://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20140701/7a6e0328/attachment.bin>
More information about the MPlayer-dev-eng
mailing list