[vlc-devel] [patch] i420_rgb: buffer overflow
Steve Lhomme
robux4 at ycbcr.xyz
Fri Jan 25 08:42:23 CET 2019
On 24/01/2019 18:07, Francois Cartegnie wrote:
> Le 22/01/2019 à 18:44, jnqnfe at gmail.com a écrit :
>> patch attached
>>
>> Incorrect pointer offset calculation in SSE2 (non-assembly version)
>> RGB15 unpacking.
>>
>> Could, I believe, allow almost 128 bytes to be written past the end of
>> the end of the buffer on last loop iteration.
> So after investigating,
> the only way to trigger that code path is (and probably why it never
> happened):
>
> - Build without swscale
> - Build without asm tool (CAN_COMPILE_SSE2) but with intrinsics
So not in our builds
>
> In the use
> - Have some I420 to RV15 conversion (unlikely in display)
With ultra ancient (if any) graphics card (16 bits ones ?).
> - Have unaligned pixels
Which can happen with some GPU driver allocated memory on Windows. But
we don't use that anymore in the display.
>
> And it will overflow by 16 bytes at the end of the buffer, only if there
> is no alignment.
Which can happen on 3.x the visible area is at least a multiple of 16x2
pixels (width alignment x line alignment). In 4:2:0 that's divided by 4
for U and V planes, so 8 bytes.
On 4.x the pixel padding is 16x16 so no worries.
Is there a real case use of this issue ?
More information about the vlc-devel
mailing list