[FFmpeg-devel] [PATCH] clamp theora filter_limit_values

Sun Jul 5 11:36:36 CEST 2009

On Sun, Jul 05, 2009 at 04:29:44AM -0400, David Conrad wrote:
> On Jul 5, 2009, at 4:04 AM, Reimar D?ffinger wrote:
> > this fixes a out-of-bounds write in init_loop_filter with
> > ogv/smclock.ogv.1.84.ogv from issue 1240.
> > My patch would just limit the filter limit values read from the file  
> > to 64,
> > which avoids the issue. If larger values are allowed, e.g. the size of
> > the bounding_values_array would have to be increased.
> 
> Larger values are allowed IIRC, the max being 127.

I have some doubts about the visual usefulness of those values, but I
guess this variant is more correct then.
-------------- next part --------------
Index: vp3.c
===================================================================

--- vp3.c	(revision 19346)
+++ vp3.c	(working copy)
@@ -517,23 +517,30 @@
 /*
  * This function initializes the loop filter boundary limits if the frame's
  * quality index is different from the previous frame's.
+ *
+ * The filter_limit_values may not be larger than 127.
  */
 static void init_loop_filter(Vp3DecodeContext *s)
 {
     int *bounding_values= s->bounding_values_array+127;
     int filter_limit;
     int x;
+    int value;
 
     filter_limit = s->filter_limit_values[s->qps[0]];
 
     /* set up the bounding values */
     memset(s->bounding_values_array, 0, 256 * sizeof(int));
     for (x = 0; x < filter_limit; x++) {
-        bounding_values[-x - filter_limit] = -filter_limit + x;
         bounding_values[-x] = -x;
         bounding_values[x] = x;
-        bounding_values[x + filter_limit] = filter_limit - x;
     }
+    for (x = value = filter_limit; x < 128 && value; x++, value--) {
+        bounding_values[ x] =  value;
+        bounding_values[-x] = -value;
+    }
+    if (value)
+        bounding_values[128] = value;
     bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202;
 }
 
@@ -2164,8 +2171,13 @@
     if (s->theora >= 0x030200) {
         n = get_bits(gb, 3);
         /* loop filter limit values table */
-        for (i = 0; i < 64; i++)
+        for (i = 0; i < 64; i++) {
             s->filter_limit_values[i] = get_bits(gb, n);
+            if (s->filter_limit_values[i] > 127) {
+                av_log(avctx, AV_LOG_ERROR, "filter limit value too large (%i > 127), clamping\n", s->filter_limit_values[i]);
+                s->filter_limit_values[i] = 127;
+            }
+        }
     }
 
     if (s->theora >= 0x030200)

