mirror of
https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg
synced 2026-04-30 13:50:50 +08:00
39e1969303
An H.264 picture with 65536 slices makes slice_num collide with the slice_table sentinel. slice_table is uint16_t, initialized via memset(..., -1, ...) so spare entries (one per row, mb_stride = mb_width + 1) stay 0xFFFF. slice_num is an uncapped ++h->current_slice. At slice 65535 the collision makes slice_table[spare] == slice_num pass, defeating the deblock_topleft check in xchg_mb_border and the top_type zeroing in fill_decode_caches. With both guards bypassed at mb_x = 0, top_borders[top_idx][-1] underflows 96 bytes and XCHG writes at -88 below the allocation (plus -72 and -56 for chroma in the non-444 path). Fixes: heap-buffer-overflow Found-by: Nicholas Carlini <nicholas@carlini.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
106 KiB
106 KiB