[FFmpeg-devel] [PATCH 1/4] avfilter/af_alimiter: Check nextpos before use

[FFmpeg-devel] [PATCH 1/4] avfilter/af_alimiter: Check nextpos before use

[Michael Niedermayer]

Fixes: out of array read
Fixes: tickets/10744/poc11ffmpeg

Found-by: Li Zeyuan and Zeng Yunxiang.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavfilter/af_alimiter.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavfilter/af_alimiter.c b/libavfilter/af_alimiter.c
index f08893229de..9a867047643 100644
--- a/libavfilter/af_alimiter.c
+++ b/libavfilter/af_alimiter.c
@@ -195,9 +195,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
                     int j = i % buffer_size;
                     double ppeak = 0, pdelta;
 
-                    for (c = 0; c < channels; c++) {
-                        ppeak = FFMAX(ppeak, fabs(buffer[nextpos[j] + c]));
-                    }
+                    if (nextpos[j] >= 0)
+                        for (c = 0; c < channels; c++) {
+                            ppeak = FFMAX(ppeak, fabs(buffer[nextpos[j] + c]));
+                        }
                     pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels);
                     if (pdelta < nextdelta[j]) {
                         nextdelta[j] = pdelta;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/4] avfilter/vf_swaprect: assert that rectangles are within memory

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavfilter/vf_swaprect.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c
index 13ae149afdb..8a983b605bf 100644
--- a/libavfilter/vf_swaprect.c
+++ b/libavfilter/vf_swaprect.c
@@ -18,6 +18,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/eval.h"
 #include "libavutil/imgutils.h"
@@ -182,6 +183,10 @@ FF_ENABLE_DEPRECATION_WARNINGS
     y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h);
     y2[0] = y2[3] = y2[0];
 
+
+    av_assert0(FFMAX(x1[1], x2[1]) + pw[1] <= lw[1]);
+    av_assert0(FFMAX(y1[1], y2[1]) + ph[1] <= lh[1]);
+
     for (p = 0; p < s->nb_planes; p++) {
         if (ph[p] == ah[p] && pw[p] == aw[p]) {
             uint8_t *src = in->data[p] + y1[p] * in->linesize[p] + x1[p] * s->pixsteps[p];
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/4] avfilter/vf_swaprect: Use height for vertical variables

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavfilter/vf_swaprect.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c
index 8a983b605bf..20d8e233e45 100644
--- a/libavfilter/vf_swaprect.c
+++ b/libavfilter/vf_swaprect.c
@@ -150,10 +150,10 @@ FF_ENABLE_DEPRECATION_WARNINGS
     w = dw; h = dh; x1[0] = dx1; y1[0] = dy1; x2[0] = dx2; y2[0] = dy2;
 
     x1[0] = av_clip(x1[0], 0, inlink->w - 1);
-    y1[0] = av_clip(y1[0], 0, inlink->w - 1);
+    y1[0] = av_clip(y1[0], 0, inlink->h - 1);
 
     x2[0] = av_clip(x2[0], 0, inlink->w - 1);
-    y2[0] = av_clip(y2[0], 0, inlink->w - 1);
+    y2[0] = av_clip(y2[0], 0, inlink->h - 1);
 
     ah[1] = ah[2] = AV_CEIL_RSHIFT(h, s->desc->log2_chroma_h);
     ah[0] = ah[3] = h;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/4] avfilter/vf_swaprect: round coordinates down

[Michael Niedermayer]

Fixes: out of array access:
Fixes: tickets/10745/poc12ffmpeg

Found-by: Li Zeyuan and Zeng Yunxiang.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavfilter/vf_swaprect.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c
index 20d8e233e45..119fd692fa7 100644
--- a/libavfilter/vf_swaprect.c
+++ b/libavfilter/vf_swaprect.c
@@ -173,14 +173,14 @@ FF_ENABLE_DEPRECATION_WARNINGS
     lw[1] = lw[2] = AV_CEIL_RSHIFT(inlink->w, s->desc->log2_chroma_w);
     lw[0] = lw[3] = inlink->w;
 
-    x1[1] = x1[2] = AV_CEIL_RSHIFT(x1[0], s->desc->log2_chroma_w);
+    x1[1] = x1[2] = (x1[0] >> s->desc->log2_chroma_w);
     x1[0] = x1[3] = x1[0];
-    y1[1] = y1[2] = AV_CEIL_RSHIFT(y1[0], s->desc->log2_chroma_h);
+    y1[1] = y1[2] = (y1[0] >> s->desc->log2_chroma_h);
     y1[0] = y1[3] = y1[0];
 
-    x2[1] = x2[2] = AV_CEIL_RSHIFT(x2[0], s->desc->log2_chroma_w);
+    x2[1] = x2[2] = (x2[0] >> s->desc->log2_chroma_w);
     x2[0] = x2[3] = x2[0];
-    y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h);
+    y2[1] = y2[2] = (y2[0] >> s->desc->log2_chroma_h);
     y2[0] = y2[3] = y2[0];
 
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/4] avfilter/af_alimiter: Check nextpos before use

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 621 bytes --]

On Fri, Dec 22, 2023 at 10:44:59PM +0100, Michael Niedermayer wrote:
> Fixes: out of array read
> Fixes: tickets/10744/poc11ffmpeg
> 
> Found-by: Li Zeyuan and Zeng Yunxiang.
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavfilter/af_alimiter.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

will apply patchset so the fixes are included in 6.1.1

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Good people do not need laws to tell them to act responsibly, while bad
people will find a way around the laws. -- Plato

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".