avfilter/edge_template: Fix small inputs with gaussian_blur()

Fixes: out of array access Fixes: Ticket10699 Fixes: poc5ffmpeg Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-12-22 11:54:24 +01:00 · 2023-12-22 11:54:24 +01:00 · c443658d26
parent e6459abfad
commit c443658d26
1 changed files with 19 additions and 10 deletions
--- a/libavfilter/edge_template.c
+++ b/libavfilter/edge_template.c
@ -74,6 +74,7 @@ void fn(gaussian_blur)(int w, int h,
                       uint8_t *dst, int dst_linesize,
                       const uint8_t *src, int src_linesize, int src_stride)
 {
+    int j;
    pixel *srcp = (pixel *)src;
    pixel *dstp = (pixel *)dst;

@ -81,12 +82,17 @@ void fn(gaussian_blur)(int w, int h,
    src_linesize /= sizeof(pixel);
    dst_linesize /= sizeof(pixel);

-    memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
-    memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
-    for (int j = 2; j < h - 2; j++) {
-        dstp[0] = srcp[(0)*src_stride];
-        dstp[1] = srcp[(1)*src_stride];
-        for (int i = 2; i < w - 2; i++) {
+    for (j = 0; j < FFMIN(h, 2); j++) {
+        memcpy(dstp, srcp, w*sizeof(pixel));
+        dstp += dst_linesize;
+        srcp += src_linesize;
+    }
+
+    for (; j < h - 2; j++) {
+        int i;
+        for (i = 0; i < FFMIN(w, 2); i++)
+            dstp[i] = srcp[i*src_stride];
+        for (; i < w - 2; i++) {
            /* Gaussian mask of size 5x5 with sigma = 1.4 */
            dstp[i] = ((srcp[-2*src_linesize + (i-2)*src_stride] + srcp[2*src_linesize + (i-2)*src_stride]) * 2
                     + (srcp[-2*src_linesize + (i-1)*src_stride] + srcp[2*src_linesize + (i-1)*src_stride]) * 4
@ -106,12 +112,15 @@ void fn(gaussian_blur)(int w, int h,
                     + srcp[(i+1)*src_stride] * 12
                     + srcp[(i+2)*src_stride] *  5) / 159;
        }
-        dstp[w - 2] = srcp[(w - 2)*src_stride];
-        dstp[w - 1] = srcp[(w - 1)*src_stride];
+        for (; i < w; i++)
+            dstp[i] = srcp[i*src_stride];

        dstp += dst_linesize;
        srcp += src_linesize;
    }
-    memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize;
-    memcpy(dstp, srcp, w*sizeof(pixel));
+    for (; j < h; j++) {
+        memcpy(dstp, srcp, w*sizeof(pixel));
+        dstp += dst_linesize;
+        srcp += src_linesize;
+    }
 }