Web lists-archives.com

[MPlayer-dev-eng] [PATCH] spudec: fix heap overflow in pal2gray_alpha()




sub/spudec.c:spudec_packet_fill() optionally draws rectangles with an x and
y offset, which is used by sub/av_sub.c:avsub_to_spudec() in case of
multiple rects. The way this is done now causes a heap overflow in
spudec.c:pal2gray_alpha().
spudec_packet_fill() offsets img and aimg by x before calling
pal2gray_alpha(). pal2gray_alpha() writes dst_stride pixels for each line
in the rect. In case the bottom rectangle (and therefore the rectangle
situated at the end of the packet buffer) has an x offset, this will cause
x 0s to be written past the end of the packet buffer.

The attached patch fixes this by making pal2gray_alpha() handle the x
offset, rather than spudec_packet_fill().

- Matthijs
Index: sub/spudec.c
===================================================================
--- sub/spudec.c	(revision 37230)
+++ sub/spudec.c	(working copy)
@@ -254,16 +254,19 @@
 static void pal2gray_alpha(const uint16_t *pal,
                            const uint8_t *src, int src_stride,
                            uint8_t *dst, uint8_t *dsta,
-                           int dst_stride, int w, int h)
+                           int dst_stride, int w, int h, int x_offset)
 {
   int x, y;
+  int right_padding = dst_stride - x_offset - w;
   for (y = 0; y < h; y++) {
+    for(x = 0; x < x_offset; x++)
+      *dsta++ = *dst++ = 0;
     for (x = 0; x < w; x++) {
       uint16_t pixel = pal[src[x]];
       *dst++  = pixel;
       *dsta++ = pixel >> 8;
     }
-    for (; x < dst_stride; x++)
+    for (x = 0; x < right_padding; x++)
       *dsta++ = *dst++ = 0;
     src += src_stride;
   }
@@ -306,7 +309,7 @@
   src = this->pal_image + crop_y * this->pal_width + crop_x;
   pal2gray_alpha(pal, src, this->pal_width,
                  this->image, this->aimage, stride,
-                 crop_w, crop_h);
+                 crop_w, crop_h, 0);
   this->width  = crop_w;
   this->height = crop_h;
   this->stride = stride;
@@ -1404,7 +1407,7 @@
                         int x, int y, int w, int h)
 {
   const uint32_t *pal = palette;
-  uint8_t *img  = packet->packet + x + y * packet->stride;
+  uint8_t *img  = packet->packet + y * packet->stride;
   uint8_t *aimg = img + packet->stride * packet->height;
   int i;
   uint16_t g8a8_pal[256];
@@ -1419,7 +1422,7 @@
       g8a8_pal[i] = (-alpha << 8) | gray;
   }
   pal2gray_alpha(g8a8_pal, pal_img, pal_stride,
-                 img, aimg, packet->stride, w, h);
+                 img, aimg, packet->stride, w, h, x);
 }
 
 void spudec_packet_send(void *spu, packet_t *packet, double pts, double endpts)
_______________________________________________
MPlayer-dev-eng mailing list
MPlayer-dev-eng@xxxxxxxxxxxx
https://lists.mplayerhq.hu/mailman/listinfo/mplayer-dev-eng