[x265] [PATCH 3/4] Limit buffer size operation for unsafe sscanf() calls

Karam Singh karam.singh at multicorewareinc.com
Tue Oct 15 15:12:42 UTC 2024 

>From e3dfd967467257d652abb7a198c74e1ac881c04c Mon Sep 17 00:00:00 2001
From: Vittorio Giovara <vittorio.giovara at gmail.com>
Date: Tue, 15 Oct 2024 20:05:00 +0530
Subject: [PATCH 3/4] Limit buffer size operation for unsafe sscanf() calls

This function does not impose any size limitation to what it writes to,
which may lead to stack buffer overflows if there is no validation on
the size of the input. Use format modifiers to read the largest possible
value held by buffers instead.
---
 source/encoder/ratecontrol.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/encoder/ratecontrol.cpp b/source/encoder/ratecontrol.cpp
index fe854a837..1e4555676 100644
--- a/source/encoder/ratecontrol.cpp
+++ b/source/encoder/ratecontrol.cpp
@@ -698,7 +698,7 @@ bool RateControl::init(const SPS& sps)
                         char bUsed[40];
                         memset(deltaPOC, 0, sizeof(deltaPOC));
                         memset(bUsed, 0, sizeof(bUsed));
-                        e += sscanf(p, " in:%*d out:%*d type:%c q:%lf
q-aq:%lf q-noVbv:%lf q-Rceq:%lf tex:%d mv:%d misc:%d icu:%lf pcu:%lf
scu:%lf nump:%d numnegp:%d numposp:%d deltapoc:%s bused:%s",
+                        e += sscanf(p, " in:%*d out:%*d type:%c q:%lf
q-aq:%lf q-noVbv:%lf q-Rceq:%lf tex:%d mv:%d misc:%d icu:%lf pcu:%lf
scu:%lf nump:%d numnegp:%d numposp:%d deltapoc:%127s bused:%39s",
                             &picType, &qpRc, &qpAq, &qNoVbv, &qRceq,
&rce->coeffBits,
                             &rce->mvBits, &rce->miscBits, &rce->iCuCount,
&rce->pCuCount,
                             &rce->skipCuCount,
&rce->rpsData.numberOfPictures, &rce->rpsData.numberOfNegativePictures,
&rce->rpsData.numberOfPositivePictures, deltaPOC, bUsed);
-- 
2.36.0.windows.1

*__________________________*
*Karam Singh*
*Ph.D. IIT Guwahati*
Senior Software (Video Coding) Engineer
Mobile: +91 8011279030
Block 9A, 6th floor, DLF Cyber City
Manapakkam, Chennai 600 089
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/x265-devel/attachments/20241015/36647909/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003_Limit_buffer_size_operation_for_unsafe_sscanf_calls.diff
Type: application/octet-stream
Size: 1766 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/x265-devel/attachments/20241015/36647909/attachment.obj>

More information about the x265-devel mailing list