Diego Biurrun wrote:
> On Mon, Jan 29, 2007 at 11:32:13PM +0000, M?ns Rullg?rd wrote:
>> Michael Niedermayer <michaelni at gmx.at> writes:
>>
>>> On Mon, Jan 29, 2007 at 03:05:17PM +0100, Michel Bardiaux wrote:
>>>> Reimar Doeffinger wrote:
>>>>> On Mon, Jan 29, 2007 at 02:18:47PM +0100, Michel Bardiaux wrote:
>>>>>> Alex Beregszaszi wrote:
>>>>>>>> ...
>>>>>>>> switch(depth){
>>>>>>>> case 24:
>>>>>>>> for(i = 0; i < avctx->height; i++){
>>>>>>>> memcpy(ptr, buf, n);
>>>>>>>> buf += n;
>>>>>>>> ptr += linesize;
>>>>>>>> }
>>>>>>>> break;
>>>>>>>> ...
>>>>>>>>
>>>>>>>> Should it not be memcpy(ptr, buf, linesize) ?
>>>>>>> n probably means input linesize, while linesize is the output linesize.
>>>>>> Yes.
>>>>>>
>>>>>>> I guess 24bit BMP doesnt stores the padding 1 byte.
>>>>>> Actually it does, see
>>>>>>
>>>>>> /* Line size in file multiple of 4 */
>>>>>> n = (avctx->width * (depth / 8) + 3) & ~3;
>>>>>>
>>>>>> and that's why I am suspicious.
>>>>> Neither is right, avctx->width * (depth >> 3) is the right value.
>>>> Yes. Patch attached.
>>> looks ok assuming mans has no objections
>> Fine by me, assuming it is correct. I don't have any specs or samples
>> at hand.
>
> Somebody provide me with a proper commit message and I'll apply this
> patch.
>
What about 'Fix memcpy out-of-bounds'?
--
Michel Bardiaux
R&D Director
T +32 [0] 2 790 29 41
F +32 [0] 2 790 29 02
E mailto:mbardiaux at mediaxim.be
Mediaxim NV/SA
Vorstlaan 191 Boulevard du Souverain
Brussel 1160 Bruxelles
http://www.mediaxim.com/
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4