[FFmpeg-trac] #7989(undetermined:new): heap-buffer-overflow at apng_do_inverse_blend in libavcodec/pngenc.c
FFmpeg
trac at avcodec.org
Thu Jul 4 06:13:56 EEST 2019
#7989: heap-buffer-overflow at apng_do_inverse_blend in libavcodec/pngenc.c
-------------------------------------+-------------------------------------
Reporter: Suhwan | Owner:
Type: defect | Status: new
Priority: important | Component:
| undetermined
Version: unspecified | Resolution:
Keywords: enc | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Comment (by Suhwan):
code : libavcodec/pngenc.c,
I think it might happen on following line.
{{{if (!memcmp(input_data + bpp * x, output_data + bpp * x, bpp))}}}
bpp's size is bigger than the size of output_data + bpp * x.
{{{
static int apng_do_inverse_blend(AVFrame *output, const AVFrame *input,
APNGFctlChunk *fctl_chunk, uint8_t bpp)
{
// output: background, input: foreground
// output the image such that when blended with the background, will
produce the foreground
unsigned int x, y;
unsigned int leftmost_x = input->width;
unsigned int rightmost_x = 0;
unsigned int topmost_y = input->height;
unsigned int bottommost_y = 0;
const uint8_t *input_data = input->data[0];
uint8_t *output_data = output->data[0];
ptrdiff_t input_linesize = input->linesize[0];
ptrdiff_t output_linesize = output->linesize[0];
// Find bounding box of changes
for (y = 0; y < input->height; ++y) {
for (x = 0; x < input->width; ++x) {
if (!memcmp(input_data + bpp * x, output_data + bpp * x, bpp))
continue;
if (x < leftmost_x)
leftmost_x = x;
if (x >= rightmost_x)
rightmost_x = x + 1;
if (y < topmost_y)
topmost_y = y;
if (y >= bottommost_y)
bottommost_y = y + 1;
}
input_data += input_linesize;
output_data += output_linesize;
}
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/7989#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list