File ffmpeg-CVE-2023-50010.patch of Package ffmpeg

Overview Repositories Revisions Requests Users Attributes Meta

File ffmpeg-CVE-2023-50010.patch of Package ffmpeg

commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a (20231224_CVE-2023-50010_e4d2666bdc3dbd177a81bbf428654a5f2fa3787a)
Author: Michael Niedermayer <michael@niedermayer.cc>
Date:   Sun Dec 24 20:50:51 2023 +0100

avfilter/vf_gradfun: Do not overread last line

The code works in steps of 2 lines and lacks support for odd height
    Implementing odd height support is better but for now this fixes the
    out of array access

Fixes: out of array access
    Fixes: tickets/10702/poc6ffmpe

Found-by: Zeng Yunxiang
    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff -Nura ffmpeg-3.4.2/libavfilter/vf_gradfun.c ffmpeg-3.4.2_new/libavfilter/vf_gradfun.c
--- ffmpeg-3.4.2/libavfilter/vf_gradfun.c	2018-01-01 06:35:48.000000000 +0800
+++ ffmpeg-3.4.2_new/libavfilter/vf_gradfun.c	2024-05-07 20:45:35.256190851 +0800
@@ -92,7 +92,7 @@
     for (y = 0; y < r; y++)
         ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2);
     for (;;) {
-        if (y < height - r) {
+        if (y + 1 < height - r) {
             int mod = ((y + r) / 2) % r;
             uint16_t *buf0 = buf + mod * bstride;
             uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride;

Places

File ffmpeg-CVE-2023-50010.patch of Package ffmpeg

Places