[Ffmpeg-devel][PATCH] Possible bug in bmp decoder

Michel Bardiaux mbardiaux
Wed Jan 31 10:26:12 CET 2007


Diego Biurrun wrote:
> On Mon, Jan 29, 2007 at 11:32:13PM +0000, M?ns Rullg?rd wrote:
>> Michael Niedermayer <michaelni at gmx.at> writes:
>>
>>> On Mon, Jan 29, 2007 at 03:05:17PM +0100, Michel Bardiaux wrote:
>>>> Reimar Doeffinger wrote:
>>>>> On Mon, Jan 29, 2007 at 02:18:47PM +0100, Michel Bardiaux wrote:
>>>>>> Alex Beregszaszi wrote:
>>>>>>>> ...
>>>>>>>>    switch(depth){
>>>>>>>>    case 24:
>>>>>>>>        for(i = 0; i < avctx->height; i++){
>>>>>>>>            memcpy(ptr, buf, n);
>>>>>>>>            buf += n;
>>>>>>>>            ptr += linesize;
>>>>>>>>        }
>>>>>>>>        break;
>>>>>>>> ...
>>>>>>>>
>>>>>>>> Should it not be memcpy(ptr, buf, linesize) ?
>>>>>>> n probably means input linesize, while linesize is the output linesize.
>>>>>> Yes.
>>>>>>
>>>>>>> I guess 24bit BMP doesnt stores the padding 1 byte.
>>>>>> Actually it does, see
>>>>>>
>>>>>>    /* Line size in file multiple of 4 */
>>>>>>    n = (avctx->width * (depth / 8) + 3) & ~3;
>>>>>>
>>>>>> and that's why I am suspicious.
>>>>> Neither is right, avctx->width * (depth >> 3) is the right value.
>>>> Yes. Patch attached.
>>> looks ok assuming mans has no objections
>> Fine by me, assuming it is correct.  I don't have any specs or samples
>> at hand.
> 
> Somebody provide me with a proper commit message and I'll apply this
> patch.
> 
What about 'Fix memcpy out-of-bounds'?


-- 
Michel Bardiaux
R&D Director
T +32 [0] 2 790 29 41
F +32 [0] 2 790 29 02
E mailto:mbardiaux at mediaxim.be

Mediaxim NV/SA
Vorstlaan 191 Boulevard du Souverain
Brussel 1160 Bruxelles
http://www.mediaxim.com/




More information about the ffmpeg-devel mailing list