[FFmpeg-devel] [PATCH 2/2] avdevice/libopenh264dec: Increase array sizes, fix stack-buffer overread

Andreas Rheinhardt andreas.rheinhardt at outlook.com
Mon Dec 6 14:32:17 EET 2021 

Linjie Fu:
> On Mon, Dec 6, 2021 at 7:37 PM Andreas Rheinhardt <
> andreas.rheinhardt at outlook.com> wrote:
> 
>> av_image_copy() expects an array of four pointers and linesizes
>> according to its declaration; it currently only pointers that are
>> actually in use (depending upon the pixel format), but this might
>> change at any time. It has already happened for the linesizes in
>> d7bc52bf456deba0f32d9fe5c288ec441f1ebef5 and so increasing their
>> array fixes a stack-buffer overread.
>>
>> This fixes a -Wstringop-overflow= and -Wstringop-overread warning
>> from GCC 11.2.
>>
>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
>> ---
>>  libavcodec/libopenh264dec.c | 5 +++--
>>  1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/libavcodec/libopenh264dec.c b/libavcodec/libopenh264dec.c
>> index ea70a8e143..7f5e85402a 100644
>> --- a/libavcodec/libopenh264dec.c
>> +++ b/libavcodec/libopenh264dec.c
>> @@ -91,8 +91,8 @@ static int svc_decode_frame(AVCodecContext *avctx, void
>> *data,
>>  {
>>      SVCContext *s = avctx->priv_data;
>>      SBufferInfo info = { 0 };
>> -    uint8_t* ptrs[3];
>> -    int ret, linesize[3];
>> +    uint8_t *ptrs[4] = { NULL };
>> +    int ret, linesize[4];
>>      AVFrame *avframe = data;
>>      DECODING_STATE state;
>>  #if OPENH264_VER_AT_LEAST(1, 7)
>> @@ -140,6 +140,7 @@ static int svc_decode_frame(AVCodecContext *avctx,
>> void *data,
>>
>>      linesize[0] = info.UsrData.sSystemBuffer.iStride[0];
>>      linesize[1] = linesize[2] = info.UsrData.sSystemBuffer.iStride[1];
>> +    linesize[3] = 0;
>>      av_image_copy(avframe->data, avframe->linesize, (const uint8_t **)
>> ptrs, linesize, avctx->pix_fmt, avctx->width, avctx->height);
>>
>>      avframe->pts     = info.uiOutYuvTimeStamp;
>> --
>> 2.32.0
>>
>  lgtm. (guess the title is referring to  "avcodec/libopenh264dec: xxx" ?)
> 

Yes. I reused and adapted the commit message of
9b17273c77ee2868ef34abc49efa70260453235b, but apparently forgot this.
Will fix before committing.

- Andreas

More information about the ffmpeg-devel mailing list