[FFmpeg-cvslog] swscale/utils: More carefully merge and clear coefficients outside the input

Michael Niedermayer git at videolan.org
Sat Mar 21 02:30:04 CET 2015


ffmpeg | branch: release/2.5 | Michael Niedermayer <michaelni at gmx.at> | Tue Feb 24 00:32:39 2015 +0100| [fe8c81a0f36bc42904c3f41c16c330a10d51e310] | committer: Michael Niedermayer

swscale/utils: More carefully merge and clear coefficients outside the input

Fixes out of array read
Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 1895d414aaacece3b57d7bf19502305e9a064fae)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe8c81a0f36bc42904c3f41c16c330a10d51e310
---

 libswscale/utils.c |   20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index fd58d3a..1fc9fc4 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -612,14 +612,24 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos,
 
         if ((*filterPos)[i] + filterSize > srcW) {
             int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0);
+            int64_t acc = 0;
 
-            // move filter coefficients right to compensate for filterPos
-            for (j = filterSize - 2; j >= 0; j--) {
-                int right = FFMIN(j + shift, filterSize - 1);
-                filter[i * filterSize + right] += filter[i * filterSize + j];
-                filter[i * filterSize + j]      = 0;
+            for (j = filterSize - 1; j >= 0; j--) {
+                if ((*filterPos)[i] + j >= srcW) {
+                    acc += filter[i * filterSize + j];
+                    filter[i * filterSize + j] = 0;
+                }
             }
+            for (j = filterSize - 1; j >= 0; j--) {
+                if (j < shift) {
+                    filter[i * filterSize + j] = 0;
+                } else {
+                    filter[i * filterSize + j] = filter[i * filterSize + j - shift];
+                }
+            }
+
             (*filterPos)[i]-= shift;
+            filter[i * filterSize + srcW - 1 - (*filterPos)[i]] += acc;
         }
     }
 



More information about the ffmpeg-cvslog mailing list