[FFmpeg-devel] [PATCH] lavfi/smptebars: fix invalid writes

Paul B Mahol onemda at gmail.com
Thu Apr 4 22:50:33 CEST 2013 

On 4/4/13, Michael Niedermayer <michaelni at gmx.at> wrote:
> On Thu, Apr 04, 2013 at 09:02:46PM +0200, Stefano Sabatini wrote:
>> On date Thursday 2013-04-04 14:36:52 +0000, Paul B Mahol encoded:
>> > Signed-off-by: Paul B Mahol <onemda at gmail.com>
>> > ---
>> >  libavfilter/vsrc_testsrc.c | 22 +++++++++++-----------
>> >  1 file changed, 11 insertions(+), 11 deletions(-)
>> >
>> > diff --git a/libavfilter/vsrc_testsrc.c b/libavfilter/vsrc_testsrc.c
>> > index 9317f82..5b1cefc 100644
>> > --- a/libavfilter/vsrc_testsrc.c
>> > +++ b/libavfilter/vsrc_testsrc.c
>> > @@ -721,25 +721,25 @@ static void smptebars_fill_picture(AVFilterContext
>> > *ctx, AVFrame *picref)
>> >      for (i = 0; i < 7; i++) {
>> >          DRAW_COLOR(rainbow[i], x, 0,   FFMIN(r_w, test->w - x), r_h);
>> >          DRAW_COLOR(wobnair[i], x, r_h, FFMIN(r_w, test->w - x), w_h);
>> > -        x += r_w;
>> > +        x = FFMIN(test->w, x + r_w);
>> >      }
>> >      x = 0;
>> >      DRAW_COLOR(i_pixel, x, r_h + w_h, p_w, p_h);
>> > -    x += p_w;
>> > +    x = FFMIN(test->w, x + p_w);
>> >      DRAW_COLOR(white, x, r_h + w_h, p_w, p_h);
>> > -    x += p_w;
>> > +    x = FFMIN(test->w, x + p_w);
>> >      DRAW_COLOR(q_pixel, x, r_h + w_h, p_w, p_h);
>> > -    x += p_w;
>> > +    x = FFMIN(test->w, x + p_w);
>> >      tmp = FFALIGN(5 * r_w - x,  1 << pixdesc->log2_chroma_w);
>> >      DRAW_COLOR(black, x, r_h + w_h, tmp, p_h);
>> > -    x += tmp;
>> > +    x = FFMIN(test->w, x + tmp);
>> >      tmp = FFALIGN(r_w / 3,  1 << pixdesc->log2_chroma_w);
>> > -    DRAW_COLOR(neg4ire, x, r_h + w_h, tmp, p_h);
>> > -    x += tmp;
>> > -    DRAW_COLOR(black, x, r_h + w_h, tmp, p_h);
>> > -    x += tmp;
>> > -    DRAW_COLOR(pos4ire, x, r_h + w_h, tmp, p_h);
>> > -    x += tmp;
>> > +    DRAW_COLOR(neg4ire, x, r_h + w_h, FFMIN(tmp, test->w - x), p_h);
>> > +    x = FFMIN(test->w, x + tmp);
>> > +    DRAW_COLOR(black, x, r_h + w_h, FFMIN(tmp, test->w - x), p_h);
>> > +    x = FFMIN(test->w, x + tmp);
>> > +    DRAW_COLOR(pos4ire, x, r_h + w_h, FFMIN(tmp, test->w - x), p_h);
>> > +    x = FFMIN(test->w, x + tmp);
>> >      DRAW_COLOR(black, x, r_h + w_h, test->w - x, p_h);
>>
>> How does this happen?
>
> the width stuff gets rounded up and is then too large i guess

It happened before, but perhaps it did not segv here. Now its slightly
more obvious.

Adding simple asserts to macro becomes impossible mission, i will replace
macro with inline function.

>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> It is dangerous to be right in matters on which the established authorities
> are wrong. -- Voltaire
>

More information about the ffmpeg-devel mailing list