reauktion/daedalus-v4l2
2
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'daemon: bounds-check pack_* functions against CAPTURE plane size' (#21) from noether/daemon-pack-bounds-check into main

Browse Source 
Reviewed-on: #21
This commit was merged in pull request #21.
This commit is contained in:
Markus Fritsche
2026-05-23 15:11:57 +00:00
parent b958ef8166 a43296c1ed
commit 4cfe0b470f
1 changed files with 53 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
daemon/src/decoder.c
+53 -2
View File
@@ -273,6 +273,20 @@ static int pack_p010_to_plane(struct AVFrame *fr,
if (!base) if (!base)
return -EINVAL; return -EINVAL;
/* Bounds-check (see pack_nv12_single comment). P010 stores 16
* bits per sample on both Y and CbCr planes; stride is in bytes
* and already accounts for the 2× expansion. */
{
size_t y_size_chk = (size_t) stride * (size_t) h;
size_t required = y_size_chk + (size_t) stride * (size_t) ch;
if (planes->size[0] < required) {
log_warn("pack_p010: frame %dx%d (stride=%u required=%zu) "
"exceeds CAPTURE plane[0] size %zu — skipping pack",
w, h, stride, required, planes->size[0]);
return -EOVERFLOW;
}
}
dst_y = base; dst_y = base;
y_size = (size_t) stride * (size_t) h; y_size = (size_t) stride * (size_t) h;
dst_uv = base + y_size; dst_uv = base + y_size;
@@ -320,7 +334,7 @@ static int pack_nv12_single_to_plane(struct AVFrame *fr,
uint8_t *base; uint8_t *base;
uint32_t stride; uint32_t stride;
uint8_t *dst_y, *dst_uv; uint8_t *dst_y, *dst_uv;
size_t y_size; size_t y_size, required;
if (!desc || !planes || planes->nr < 1) if (!desc || !planes || planes->nr < 1)
return -EINVAL; return -EINVAL;
@@ -339,8 +353,27 @@ static int pack_nv12_single_to_plane(struct AVFrame *fr,
if (!base) if (!base)
return -EINVAL; return -EINVAL;
/*
* Bounds-check before any write — the V4L2 client's CAPTURE
* dmabuf may have been sized for a smaller frame than what
* libavcodec just decoded (e.g. YouTube DASH stepping
* resolution mid-stream — libva is supposed to handle the
* SOURCE_CHANGE event with STREAMOFF + S_FMT + REQBUFS but
* sometimes a stale request slips through carrying the old
* buffer size). Writing the chroma interleave loop into an
* undersized mapping faults the daemon with SIGSEGV mid-frame.
* Bail loudly with a warn instead.
*/
y_size = (size_t) stride * (size_t) h;
required = y_size + (size_t) stride * (size_t) ch;
if (planes->size[0] < required) {
log_warn("pack_nv12_single: frame %dx%d (stride=%u required=%zu) "
"exceeds CAPTURE plane[0] size %zu — skipping pack",
w, h, stride, required, planes->size[0]);
return -EOVERFLOW;
}
dst_y = base; dst_y = base;
y_size = (size_t) stride * (size_t) h;
dst_uv = base + y_size; dst_uv = base + y_size;
for (y = 0; y < h; y++) for (y = 0; y < h; y++)
@@ -395,6 +428,24 @@ static int pack_nv12_to_planes(struct AVFrame *fr,
if (!dst_y || !dst_uv) if (!dst_y || !dst_uv)
return -EINVAL; return -EINVAL;
/*
* Bounds-check both planes against the mapped dmabuf size. See
* pack_nv12_single_to_plane comment for the resolution-change-
* mid-stream crash story this protects against.
*/
{
size_t y_required = (size_t) dst_y_stride * (size_t) h;
size_t uv_required = (size_t) dst_uv_stride * (size_t) ch;
if (planes->size[0] < y_required ||
planes->size[1] < uv_required) {
log_warn("pack_nv12_2plane: frame %dx%d "
"(y=%zu/%zu uv=%zu/%zu) exceeds CAPTURE — skipping pack",
w, h, y_required, planes->size[0],
uv_required, planes->size[1]);
return -EOVERFLOW;
}
}
/* Y plane copy — strip source stride padding. */ /* Y plane copy — strip source stride padding. */
for (y = 0; y < h; y++) for (y = 0; y < h; y++)
memcpy(dst_y + (size_t) y * dst_y_stride, memcpy(dst_y + (size_t) y * dst_y_stride,