[FFmpeg-devel] [PATCH] libavfilter:vf_thumbnail.c: Fix bug in buffer handling for RGB width

[Chris Kennedy]

On Wed, Feb 18, 2015 at 2:34 PM, Clément Bœsch <u at pkh.me> wrote:

> On Wed, Feb 18, 2015 at 02:22:53PM -0800, Chris Kennedy wrote:
> > This is a pretty obvious bug we caught in the thumbnail filter that is
> very
> > subtle and hardly ever shows issues except for certain videos.  Yet it
> can
> > be seen how it is blatantly going out of bounds by basing the width
> > increment off of i*3 that resulted in odd crashes in rare cases.
> >
> >
> > Thanks,
> > Chris
> > --
> > ---
> > Chris Kennedy
> > Video Engineer
> > CrunchyRoll - http://www.crunchyroll.com
>
> > diff --git a/libavfilter/vf_thumbnail.c b/libavfilter/vf_thumbnail.c
> > index 1883154..a1272a0 100644
> > --- a/libavfilter/vf_thumbnail.c
> > +++ b/libavfilter/vf_thumbnail.c
> > @@ -142,7 +142,8 @@ static int filter_frame(AVFilterLink *inlink,
> AVFrame *frame)
> >
> >      // update current frame RGB histogram
> >      for (j = 0; j < inlink->h; j++) {
> > -        for (i = 0; i < inlink->w; i++) {
> > +        // last third of image, walk every 3 bytes/pixels reading RGB
> > +        for (i = 0; i < inlink->w/3; i++) {
>
> width is expressed in pixels, not bytes.
>

Right, this part seems tricky, yet it doesn't make sense to walk the entire
width with var i and then walk it by 3's up to the very last increment.


>
> How to reproduce the issue or crash?
>
> >              hist[0*256 + p[i*3    ]]++;
> >              hist[1*256 + p[i*3 + 1]]++;
> >              hist[2*256 + p[i*3 + 2]]++;
> >
>
>
The source is copyrighted, and it happens on certain types of encodings it
seems, and only 1 out of every 250 or some really low number.  I will work
on getting a reproducible case.

Thanks,
Chris


> --
> Clément B.
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>