[FFmpeg-cvslog] avcodec/libopenh264dec: Increase array sizes, fix stack-buffer overread

Andreas Rheinhardt git at videolan.org
Wed Jan 12 02:50:14 EET 2022 

ffmpeg | branch: release/4.4 | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Mon Dec  6 12:20:21 2021 +0100| [0066e79c9eca8611ff425221bc54a58969ca606f] | committer: Andreas Rheinhardt

avcodec/libopenh264dec: Increase array sizes, fix stack-buffer overread

av_image_copy() expects an array of four pointers and linesizes
according to its declaration; it currently only pointers that are
actually in use (depending upon the pixel format), but this might
change at any time. It has already happened for the linesizes in
d7bc52bf456deba0f32d9fe5c288ec441f1ebef5 and so increasing their
array fixes a stack-buffer overread.

This fixes a -Wstringop-overflow= and -Wstringop-overread warning
from GCC 11.2.

Reviewed-by: Linjie Fu <linjie.justin.fu at gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
(cherry picked from commit b0b90100bfda8c5cf95889e00183589de0abce60)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0066e79c9eca8611ff425221bc54a58969ca606f
---

 libavcodec/libopenh264dec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/libopenh264dec.c b/libavcodec/libopenh264dec.c
index c7aa7fa19c..dcd781dd84 100644
--- a/libavcodec/libopenh264dec.c
+++ b/libavcodec/libopenh264dec.c
@@ -91,8 +91,8 @@ static int svc_decode_frame(AVCodecContext *avctx, void *data,
 {
     SVCContext *s = avctx->priv_data;
     SBufferInfo info = { 0 };
-    uint8_t* ptrs[3];
-    int ret, linesize[3];
+    uint8_t *ptrs[4] = { NULL };
+    int ret, linesize[4];
     AVFrame *avframe = data;
     DECODING_STATE state;
 #if OPENH264_VER_AT_LEAST(1, 7)
@@ -140,6 +140,7 @@ static int svc_decode_frame(AVCodecContext *avctx, void *data,
 
     linesize[0] = info.UsrData.sSystemBuffer.iStride[0];
     linesize[1] = linesize[2] = info.UsrData.sSystemBuffer.iStride[1];
+    linesize[3] = 0;
     av_image_copy(avframe->data, avframe->linesize, (const uint8_t **) ptrs, linesize, avctx->pix_fmt, avctx->width, avctx->height);
 
     avframe->pts     = info.uiOutYuvTimeStamp;

More information about the ffmpeg-cvslog mailing list