From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 1A1604D857
	for <ffmpegdev@gitmailbox.com>; Sun, 20 Apr 2025 20:42:23 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 860E2687D60;
	Sun, 20 Apr 2025 23:42:18 +0300 (EEST)
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net
 [217.70.183.193])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id F1445687C60
 for <ffmpeg-devel@ffmpeg.org>; Sun, 20 Apr 2025 23:42:11 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 3D30543A7A
 for <ffmpeg-devel@ffmpeg.org>; Sun, 20 Apr 2025 20:42:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1745181731;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=Oh2P7FDWAOAG7EPEeopOMAxvlVdQV2DMrQ53xs0jQhM=;
 b=FoajG9aL2DBifaXeT6nemP42iMkMVKhsrSm37sZNuCUl5LHA2SLpLFmnHV79adLwSyhRRg
 fFL/g1WNP0a4BYI5DXXi95k/OieZrHgWjyz67DdyV3e4Kr9iR23pGO4u4+zXFtGZZdbJt6
 gYQMNdbt/dudNCI/QXDat6vcnTYYf+iCTXhUHuSOC77HeCBvOabKbPDPO2tAh/eNDvEdMn
 urMOpFA3EhKfZUArhDcGJboS7n6eJ59cuE3c9PS7n+U3A96DgIJI33tJa4f/0ZgI3tpvbU
 aE2G+3EpjEeelj8zhA68OYtOmtDnBe2yvUH8QBOQYyILzDdAKYgCSY03AwmMmw==
Date: Sun, 20 Apr 2025 22:42:10 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20250420204210.GI4991@pb2>
References: <20250130015722.2069524-1-michael@niedermayer.cc>
 <GV1P250MB07370ECFCE27705129BD56738FB92@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM>
MIME-Version: 1.0
In-Reply-To: <GV1P250MB07370ECFCE27705129BD56738FB92@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM>
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvfeekleduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeeigeektdejudffjefhteegjedtgeettefggedthfejgfevhfetgeekjedtvdfhveenucfkphepgedurdeiiedrieejrdduudefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieejrdduudefpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] [PATCH] avcodec/h263dec: Check against previous
 dimensions instead of coded
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============3973095526913108664=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250420204210.GI4991@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============3973095526913108664==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="iI2oqy5k2GFPieuc"
Content-Disposition: inline


--iI2oqy5k2GFPieuc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Apr 20, 2025 at 06:31:35PM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array access
> > Fixes: crash-a41ef3db699013f669b076f02f36942925f5a98c
> >=20
> > Found-by: Kacper Michajlow <kasper93@gmail.com>
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/h263dec.c | 13 +++++++++----
> >  1 file changed, 9 insertions(+), 4 deletions(-)
> >=20
> > diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
> > index 0c23012584e..5eefdc4602b 100644
> > --- a/libavcodec/h263dec.c
> > +++ b/libavcodec/h263dec.c
> > @@ -431,6 +431,7 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVF=
rame *pict,
> >      MpegEncContext *s  =3D avctx->priv_data;
> >      int ret;
> >      int slice_ret =3D 0;
> > +    int bak_width, bak_height;
> > =20
> >      /* no supplementary picture */
> >      if (buf_size =3D=3D 0) {
> > @@ -482,6 +483,9 @@ retry:
> >      if (ret < 0)
> >          return ret;
> > =20
> > +    bak_width  =3D s->width;
> > +    bak_height =3D s->height;
> > +
> >      /* let's go :-) */
> >      if (CONFIG_WMV2_DECODER && s->msmpeg4_version =3D=3D MSMP4_WMV2) {
> >          ret =3D ff_wmv2_decode_picture_header(s);
> > @@ -501,11 +505,12 @@ retry:
> >      }
> > =20
> >      if (ret < 0 || ret =3D=3D FRAME_SKIPPED) {
> > -        if (   s->width  !=3D avctx->coded_width
> > -            || s->height !=3D avctx->coded_height) {
> > +        if (   s->width  !=3D bak_width
> > +            || s->height !=3D bak_height) {
> >                  av_log(s->avctx, AV_LOG_WARNING, "Reverting picture di=
mensions change due to header decoding failure\n");
> > -                s->width =3D avctx->coded_width;
> > -                s->height=3D avctx->coded_height;
> > +                s->width =3D bak_width;
> > +                s->height=3D bak_height;
> > +
> >          }
> >      }
> >      if (ret =3D=3D FRAME_SKIPPED)
>=20
>=20
> Can I have the testcase?

sent privately

thx

[...]
--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Never trust a computer, one day, it may think you are the virus. -- Compn

--iI2oqy5k2GFPieuc
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaAVcIgAKCRBhHseHBAsP
q3y6AJ4kP+JX0fYj5U/oRys4h3ZrjuGBdACeJMCmqGWpQQOHXoO5Q2EuVB2ps00=
=O/3Z
-----END PGP SIGNATURE-----

--iI2oqy5k2GFPieuc--

--===============3973095526913108664==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============3973095526913108664==--