forked from jengelh/ffmpeg-5
29 lines
1.2 KiB
Diff
29 lines
1.2 KiB
Diff
|
commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a (20231224_CVE-2023-50010_e4d2666bdc3dbd177a81bbf428654a5f2fa3787a)
|
||
|
Author: Michael Niedermayer <michael@niedermayer.cc>
|
||
|
Date: Sun Dec 24 20:50:51 2023 +0100
|
||
|
|
||
|
avfilter/vf_gradfun: Do not overread last line
|
||
|
|
||
|
The code works in steps of 2 lines and lacks support for odd height
|
||
|
Implementing odd height support is better but for now this fixes the
|
||
|
out of array access
|
||
|
|
||
|
Fixes: out of array access
|
||
|
Fixes: tickets/10702/poc6ffmpe
|
||
|
|
||
|
Found-by: Zeng Yunxiang
|
||
|
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
||
|
|
||
|
diff -Nura ffmpeg-5.1.4/libavfilter/vf_gradfun.c ffmpeg-5.1.4_new/libavfilter/vf_gradfun.c
|
||
|
--- ffmpeg-5.1.4/libavfilter/vf_gradfun.c 2023-11-10 07:38:51.000000000 +0800
|
||
|
+++ ffmpeg-5.1.4_new/libavfilter/vf_gradfun.c 2024-05-07 19:36:59.563277057 +0800
|
||
|
@@ -92,7 +92,7 @@
|
||
|
for (y = 0; y < r; y++)
|
||
|
ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2);
|
||
|
for (;;) {
|
||
|
- if (y < height - r) {
|
||
|
+ if (y + 1 < height - r) {
|
||
|
int mod = ((y + r) / 2) % r;
|
||
|
uint16_t *buf0 = buf + mod * bstride;
|
||
|
uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride;
|