[FFmpeg-trac] #72(swscale:new): Invalid pal8 sample crashes libswscale

FFmpeg trac at avcodec.org
Thu Apr 28 13:06:53 CEST 2011


#72: Invalid pal8 sample crashes libswscale
----------------------+----------------------
Reporter:  cehoyos    |       Owner:  michael
    Type:  defect     |      Status:  new
Priority:  important  |   Component:  swscale
 Version:  git        |  Resolution:
Keywords:             |  Blocked By:
Blocking:             |  Reproduced:  1
Analyzed:  0          |
----------------------+----------------------

Comment (by saste):

 Replying to [ticket:72 cehoyos]:
 > The sample from issue 2497 (that originally crashed the bfi decoder) now
 crashes libswscale.
 > {{{
 > (gdb) r -i bfi_buffer_overread.bfi out.avi

 Fixed in master:

 commit bd2a3700c045201b043a0e812d932e9d4fc37e82
 Author: Stefano Sabatini <stefano.sabatini-lala at poste.it>
 Date:   Mon Apr 25 01:17:08 2011 +0200

     lsws: prevent overflow in sws_init_context()

     In the loop:
         for (i=0; i<dstH; i++) {
             int chrI= i*c->chrDstH / dstH;

     when i*c->chrDstH > INT_MAX this leads to an integer overflow, which
     results in a negative value for chrI and in out-of-buffer reads. The
     overflow is avoided by forcing int64_t arithmetic by casting i to
     int64_t.

     Fix crash, and trac issue #72.

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/72#comment:1>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list