forked from pool/ffmpeg-5
75 lines
2.7 KiB
Diff
75 lines
2.7 KiB
Diff
commit c443658d26d2b8e19901f9507a890e0efca79056 (HEAD -> 20231222_CVE-2023-50009_c443658d26d2b8e19901f9507a890e0efca79056)
|
|
Author: Michael Niedermayer <michael@niedermayer.cc>
|
|
Date: Fri Dec 22 11:54:24 2023 +0100
|
|
References: CVE-2023-50009
|
|
References: https://bugzilla.opensuse.org/1172423
|
|
|
|
avfilter/edge_template: Fix small inputs with gaussian_blur()
|
|
|
|
Fixes: out of array access
|
|
Fixes: Ticket10699
|
|
Fixes: poc5ffmpeg
|
|
|
|
Found-by: Zeng Yunxiang
|
|
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
|
|
diff --git a/libavfilter/edge_template.c b/libavfilter/edge_template.c
|
|
index 14635c25af..ce45e579db 100644
|
|
--- a/libavfilter/edge_template.c
|
|
+++ b/libavfilter/edge_template.c
|
|
@@ -74,6 +74,7 @@ void fn(gaussian_blur)(int w, int h,
|
|
uint8_t *dst, int dst_linesize,
|
|
const uint8_t *src, int src_linesize, int src_stride)
|
|
{
|
|
+ int j;
|
|
pixel *srcp = (pixel *)src;
|
|
pixel *dstp = (pixel *)dst;
|
|
|
|
@@ -81,12 +82,17 @@ void fn(gaussian_blur)(int w, int h,
|
|
src_linesize /= sizeof(pixel);
|
|
dst_linesize /= sizeof(pixel);
|
|
|
|
- memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
|
|
- memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
|
|
- for (int j = 2; j < h - 2; j++) {
|
|
- dstp[0] = srcp[(0)*src_stride];
|
|
- dstp[1] = srcp[(1)*src_stride];
|
|
- for (int i = 2; i < w - 2; i++) {
|
|
+ for (j = 0; j < FFMIN(h, 2); j++) {
|
|
+ memcpy(dstp, srcp, w*sizeof(pixel));
|
|
+ dstp += dst_linesize;
|
|
+ srcp += src_linesize;
|
|
+ }
|
|
+
|
|
+ for (; j < h - 2; j++) {
|
|
+ int i;
|
|
+ for (i = 0; i < FFMIN(w, 2); i++)
|
|
+ dstp[i] = srcp[i*src_stride];
|
|
+ for (; i < w - 2; i++) {
|
|
/* Gaussian mask of size 5x5 with sigma = 1.4 */
|
|
dstp[i] = ((srcp[-2*src_linesize + (i-2)*src_stride] + srcp[2*src_linesize + (i-2)*src_stride]) * 2
|
|
+ (srcp[-2*src_linesize + (i-1)*src_stride] + srcp[2*src_linesize + (i-1)*src_stride]) * 4
|
|
@@ -106,12 +112,15 @@ void fn(gaussian_blur)(int w, int h,
|
|
+ srcp[(i+1)*src_stride] * 12
|
|
+ srcp[(i+2)*src_stride] * 5) / 159;
|
|
}
|
|
- dstp[w - 2] = srcp[(w - 2)*src_stride];
|
|
- dstp[w - 1] = srcp[(w - 1)*src_stride];
|
|
+ for (; i < w; i++)
|
|
+ dstp[i] = srcp[i*src_stride];
|
|
|
|
dstp += dst_linesize;
|
|
srcp += src_linesize;
|
|
}
|
|
- memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
|
|
- memcpy(dstp, srcp, w*sizeof(pixel));
|
|
+ for (; j < h; j++) {
|
|
+ memcpy(dstp, srcp, w*sizeof(pixel));
|
|
+ dstp += dst_linesize;
|
|
+ srcp += src_linesize;
|
|
+ }
|
|
}
|
|
--
|
|
2.41.0
|
|
|