[FFmpeg-trac] #7989(undetermined:new): heap-buffer-overflow at apng_do_inverse_blend in libavcodec/pngenc.c

FFmpeg trac at avcodec.org
Thu Jul 4 06:13:56 EEST 2019


#7989: heap-buffer-overflow at apng_do_inverse_blend in libavcodec/pngenc.c
-------------------------------------+-------------------------------------
             Reporter:  Suhwan       |                    Owner:
                 Type:  defect       |                   Status:  new
             Priority:  important    |                Component:
                                     |  undetermined
              Version:  unspecified  |               Resolution:
             Keywords:  enc          |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------

Comment (by Suhwan):

 code : libavcodec/pngenc.c,
 I think it might happen on following line.
 {{{if (!memcmp(input_data + bpp * x, output_data + bpp * x, bpp))}}}
 bpp's size is bigger than the size of output_data + bpp * x.


 {{{
 static int apng_do_inverse_blend(AVFrame *output, const AVFrame *input,
                                   APNGFctlChunk *fctl_chunk, uint8_t bpp)
 {
     // output: background, input: foreground
     // output the image such that when blended with the background, will
 produce the foreground

     unsigned int x, y;
     unsigned int leftmost_x = input->width;
     unsigned int rightmost_x = 0;
     unsigned int topmost_y = input->height;
     unsigned int bottommost_y = 0;
     const uint8_t *input_data = input->data[0];
     uint8_t *output_data = output->data[0];
     ptrdiff_t input_linesize = input->linesize[0];
     ptrdiff_t output_linesize = output->linesize[0];

     // Find bounding box of changes
     for (y = 0; y < input->height; ++y) {
         for (x = 0; x < input->width; ++x) {
             if (!memcmp(input_data + bpp * x, output_data + bpp * x, bpp))
                 continue;

             if (x < leftmost_x)
                 leftmost_x = x;
             if (x >= rightmost_x)
                 rightmost_x = x + 1;
             if (y < topmost_y)
                 topmost_y = y;
             if (y >= bottommost_y)
                 bottommost_y = y + 1;
         }

         input_data += input_linesize;
         output_data += output_linesize;
     }
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/7989#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list