New submission from Harry Sintonen <[email protected]>:
libswscale/utils.c/sws_init_context() has the following code:
c->lumXInc= ((srcW<<16) + (dstW>>1))/dstW;
c->lumYInc= ((srcH<<16) + (dstH>>1))/dstH;
This clearly fails when srcW/srcH is larger than 32767, resulting in a bogus
lumXInc/lumYInc. Luckily the value is only used to advance the source pointer
(that is: the bug can only generate a read segfault).
Proposed fix:
c->lumXInc= (((int64_t)srcW<<16) + (dstW>>1))/dstW;
c->lumYInc= (((int64_t)srcH<<16) + (dstH>>1))/dstH;
----------
messages: 13640
priority: normal
status: new
substatus: new
title: libswscale lumXInc/lumYInc integer overflow with srcW/srcH > 32767
topic: swscaler
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2594>
________________________________________________
