[FFmpeg-devel] [PATCH] dvenc: Prevent out-of-bounds read
Martin Vignali
martin.vignali at gmail.com
Fri Nov 17 18:42:09 EET 2017
2017-11-17 17:20 GMT+01:00 Derek Buitenhuis <derek.buitenhuis at gmail.com>:
> mb_area_start has 5 entries, and 'a' is iterated through from 0 to 3.
> 'a2' is set to 'a + 1', and mb_area_start[a2 + 1] is accessed, so if
> a is 3, then we try to access mb_area_start[5].
>
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis at gmail.com>
> ---
> I'm not 100% sure if this fix is /correct/, so hopefully someone
> knows the DV code...
> ---
> libavcodec/dvenc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/dvenc.c b/libavcodec/dvenc.c
> index ce2fc75daa..b79cbebb04 100644
> --- a/libavcodec/dvenc.c
> +++ b/libavcodec/dvenc.c
> @@ -383,7 +383,7 @@ static inline void dv_guess_qnos(EncBlockInfo *blks,
> int *qnos)
> prev = k;
> } else {
> if (b->next[k] >= mb_area_start[a + 1] &&
> b->next[k] < 64) {
> - for (a2 = a + 1; b->next[k] >=
> mb_area_start[a2 + 1]; a2++)
> + for (a2 = a + 1; a2 < 4 && b->next[k]
> >= mb_area_start[a2 + 1]; a2++)
> b->prev[a2] = prev;
> av_assert2(a2 < 4);
> av_assert2(b->mb[b->next[k]]);
> --
>
>
Hello,
doesn't know the dvenc code,
but you seems to test the assert of the next line
Maybe move the assert (a2 < 4); before the for loop, if it's a theorical
case,
or remove it if this case can really happen.
Martin
More information about the ffmpeg-devel
mailing list