ffmpeg-5/ffmpeg-CVE-2023-50009.patch

75 lines
2.7 KiB
Diff
Raw Permalink Normal View History

commit c443658d26d2b8e19901f9507a890e0efca79056 (HEAD -> 20231222_CVE-2023-50009_c443658d26d2b8e19901f9507a890e0efca79056)
Author: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri Dec 22 11:54:24 2023 +0100
References: CVE-2023-50009
References: https://bugzilla.opensuse.org/1172423
avfilter/edge_template: Fix small inputs with gaussian_blur()
Fixes: out of array access
Fixes: Ticket10699
Fixes: poc5ffmpeg
Found-by: Zeng Yunxiang
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
diff --git a/libavfilter/edge_template.c b/libavfilter/edge_template.c
index 14635c25af..ce45e579db 100644
--- a/libavfilter/edge_template.c
+++ b/libavfilter/edge_template.c
@@ -74,6 +74,7 @@ void fn(gaussian_blur)(int w, int h,
uint8_t *dst, int dst_linesize,
const uint8_t *src, int src_linesize, int src_stride)
{
+ int j;
pixel *srcp = (pixel *)src;
pixel *dstp = (pixel *)dst;
@@ -81,12 +82,17 @@ void fn(gaussian_blur)(int w, int h,
src_linesize /= sizeof(pixel);
dst_linesize /= sizeof(pixel);
- memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
- memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
- for (int j = 2; j < h - 2; j++) {
- dstp[0] = srcp[(0)*src_stride];
- dstp[1] = srcp[(1)*src_stride];
- for (int i = 2; i < w - 2; i++) {
+ for (j = 0; j < FFMIN(h, 2); j++) {
+ memcpy(dstp, srcp, w*sizeof(pixel));
+ dstp += dst_linesize;
+ srcp += src_linesize;
+ }
+
+ for (; j < h - 2; j++) {
+ int i;
+ for (i = 0; i < FFMIN(w, 2); i++)
+ dstp[i] = srcp[i*src_stride];
+ for (; i < w - 2; i++) {
/* Gaussian mask of size 5x5 with sigma = 1.4 */
dstp[i] = ((srcp[-2*src_linesize + (i-2)*src_stride] + srcp[2*src_linesize + (i-2)*src_stride]) * 2
+ (srcp[-2*src_linesize + (i-1)*src_stride] + srcp[2*src_linesize + (i-1)*src_stride]) * 4
@@ -106,12 +112,15 @@ void fn(gaussian_blur)(int w, int h,
+ srcp[(i+1)*src_stride] * 12
+ srcp[(i+2)*src_stride] * 5) / 159;
}
- dstp[w - 2] = srcp[(w - 2)*src_stride];
- dstp[w - 1] = srcp[(w - 1)*src_stride];
+ for (; i < w; i++)
+ dstp[i] = srcp[i*src_stride];
dstp += dst_linesize;
srcp += src_linesize;
}
- memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
- memcpy(dstp, srcp, w*sizeof(pixel));
+ for (; j < h; j++) {
+ memcpy(dstp, srcp, w*sizeof(pixel));
+ dstp += dst_linesize;
+ srcp += src_linesize;
+ }
}
--
2.41.0