On Fri, Feb 26, 2016 at 11:29:05AM +0100, wm4 wrote: > On Fri, 26 Feb 2016 02:38:13 +0100 > Michael Niedermayer <mich...@niedermayer.cc> wrote: > > > On Fri, Feb 26, 2016 at 12:15:19AM +0100, Reimar Döffinger wrote: > > > We do neither document nor check such a requirement > > > and for application-provided get_buffer2 they could > > > contain the result of a malloc(0) or whatever value > > > they had previously. > > > This fixes a use-after-free in e.g. MPlayer: > > > https://trac.mplayerhq.hu/ticket/2262 > > > We might want to consider changing the (documented) > > > API in addition though. > > > > > > Signed-off-by: Reimar Döffinger <reimar.doeffin...@gmx.de> > > > --- > > > libavcodec/mjpegdec.c | 8 +++++--- > > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > the assumtation that unused plane pointers are NULL is more > > widespread than mjpeg i think > > > > also, is it really a good idea to leave stale pointers in the array? > > > > [...] > > Unfortunately I have to agree. I got some crashes in libavfilter when I > didn't set some "unused" plane pointers to NULL. Some code is just lazy > and checks plane pointers for NULL, instead of retrieving the proper > plane count.
lavfi seems to do both sometimes. For example: ☭ git grep '\[plane\] &&' libavfilter/vf_boxblur.c: for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) libavfilter/vf_boxblur.c: for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) libavfilter/vf_fieldmatch.c: for (plane = 0; plane < 4 && src->data[plane] && src->linesize[plane]; plane++) { libavfilter/vf_fieldorder.c: for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { libavfilter/vf_framerate.c: for (plane = 0; plane < 4 && copy_src1->data[plane] && copy_src2->data[plane]; plane++) { libavfilter/vf_framerate.c: for (plane = 0; plane < 4 && copy_src1->data[plane] && copy_src2->data[plane]; plane++) { libavfilter/vf_hflip.c: for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) { libavfilter/vf_kerndeint.c: for (plane = 0; plane < 4 && inpic->data[plane] && inpic->linesize[plane]; plane++) { libavfilter/vf_lut.c: for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) { libavfilter/vf_lut.c: for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) { libavfilter/vf_mpdecimate.c: for (plane = 0; ref->data[plane] && ref->linesize[plane]; plane++) { libavfilter/vf_pad.c: for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { libavfilter/vf_showinfo.c: for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { libavfilter/vf_showinfo.c: for (plane = 1; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) libavfilter/vf_showinfo.c: for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) libavfilter/vf_showinfo.c: for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) libavfilter/vf_vignette.c: for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) { -- Clément B.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel