[x265] [PATCH 4/4] Limit buffer size operation for unsafe sprintf() calls
Karam Singh
karam.singh at multicorewareinc.com
Tue Oct 15 15:13:37 UTC 2024
>From 0e0ce486799929d45ee35a30797c21afdafe99b7 Mon Sep 17 00:00:00 2001
From: Vittorio Giovara <vittorio.giovara at gmail.com>
Date: Tue, 15 Oct 2024 20:11:01 +0530
Subject: [PATCH 4/4] Limit buffer size operation for unsafe sprintf() calls
This function does not impose any size limitation to what it writes to,
which may lead to stack buffer overflows if there is no validation on
the size of the input. Use snprintf() instead.
---
source/common/common.cpp | 4 ++--
source/encoder/ratecontrol.cpp | 4 ++--
source/profile/vtune/vtune.cpp | 2 +-
source/x265cli.cpp | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/source/common/common.cpp b/source/common/common.cpp
index b33248782..4925d59a9 100644
--- a/source/common/common.cpp
+++ b/source/common/common.cpp
@@ -133,7 +133,7 @@ void general_log(const x265_param* param, const char*
caller, int level, const c
}
if (caller)
- p += sprintf(buffer, "%-4s [%s]: ", caller, log_level);
+ p += snprintf(buffer, sizeof(buffer), "%-4s [%s]: ", caller,
log_level);
va_list arg;
va_start(arg, fmt);
vsnprintf(buffer + p, bufferSize - p, fmt, arg);
@@ -175,7 +175,7 @@ void general_log_file(const x265_param* param, const
char* caller, int level, co
}
if (caller)
- p += sprintf(buffer, "%-4s [%s]: ", caller, log_level);
+ p += snprintf(buffer, sizeof(buffer), "%-4s [%s]: ", caller,
log_level);
va_list arg;
va_start(arg, fmt);
vsnprintf(buffer + p, bufferSize - p, fmt, arg);
diff --git a/source/encoder/ratecontrol.cpp b/source/encoder/ratecontrol.cpp
index 1e4555676..50adefc19 100644
--- a/source/encoder/ratecontrol.cpp
+++ b/source/encoder/ratecontrol.cpp
@@ -3250,8 +3250,8 @@ int RateControl::writeRateControlFrameStats(Frame*
curFrame, RateControlEntry* r
for (i = 0; i < num; i++)
{
- sprintf(deltaPOC, "%s%d~", deltaPOC, rpsWriter->deltaPOC[i]);
- sprintf(bUsed, "%s%d~", bUsed, rpsWriter->bUsed[i]);
+ snprintf(deltaPOC, sizeof(deltaPOC), "%s%d~", deltaPOC,
rpsWriter->deltaPOC[i]);
+ snprintf(bUsed, sizeof(bUsed), "%s%d~", bUsed,
rpsWriter->bUsed[i]);
}
if (fprintf(m_statFileOut,
diff --git a/source/profile/vtune/vtune.cpp b/source/profile/vtune/vtune.cpp
index 1eb347cce..4545ab50f 100644
--- a/source/profile/vtune/vtune.cpp
+++ b/source/profile/vtune/vtune.cpp
@@ -51,7 +51,7 @@ void vtuneInit()
void vtuneSetThreadName(const char *name, int id)
{
char threadname[128];
- sprintf(threadname, "%s %d", name, id);
+ snprintf(threadname, sizeof(threadname), "%s %d", name, id);
__itt_thread_set_name(threadname);
}
diff --git a/source/x265cli.cpp b/source/x265cli.cpp
index 2593e1ee5..790df9a88 100755
--- a/source/x265cli.cpp
+++ b/source/x265cli.cpp
@@ -981,7 +981,7 @@ namespace X265_NS {
if (param->logLevel >= X265_LOG_INFO)
{
char buf[128];
- int p = sprintf(buf, "%dx%d fps %d/%d %sp%d",
param->sourceWidth, param->sourceHeight,
+ int p = snprintf(buf, sizeof(buf), "%dx%d fps %d/%d %sp%d",
param->sourceWidth, param->sourceHeight,
param->fpsNum, param->fpsDenom,
x265_source_csp_names[param->internalCsp], info[0].depth);
int width, height;
--
2.36.0.windows.1
*__________________________*
*Karam Singh*
*Ph.D. IIT Guwahati*
Senior Software (Video Coding) Engineer
Mobile: +91 8011279030
Block 9A, 6th floor, DLF Cyber City
Manapakkam, Chennai 600 089
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/x265-devel/attachments/20241015/8f79d79b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004_Limit_buffer_size_operation_for_unsafe_sprintf_calls.diff
Type: application/octet-stream
Size: 3345 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/x265-devel/attachments/20241015/8f79d79b/attachment-0001.obj>
More information about the x265-devel
mailing list