Skip to content

Commit

Permalink
Fix heap buffer overflow in a pixel format conversion function
Browse files Browse the repository at this point in the history 
Summary:
Fixes a loop control logic in `FrameConverter::convertTwoRows_1PlaneMosaicPacked10Bit_To_1PlaneUnpacked3Channels8BitAdvanced()`

Setting loop limit to `width - 5u` when `width` is `4u` resulted in loop limit being set to unsigned integer's maximum value due to unsigned integer arithmetic.  This caused the loop to iterate and read/write past buffer boundaries.

Reviewed By: ASchneiderMeta

Differential Revision: D59763520

fbshipit-source-id: 1350c3651c48932bee5f7d6cbfe4a3a3f94406e6
  • Loading branch information
@leapally @facebook-github-bot
leapally authored and facebook-github-bot committed Jul 16, 2024
1 parent 4f87941 commit f4a6204
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion impl/ocean/cv/FrameConverter.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7166,7 +7166,7 @@ void FrameConverter::convertTwoRows_1PlaneMosaicPacked10Bit_To_1PlaneUnpacked3Ch
targetRow0 += 3;
targetRow1 += 3;

for (unsigned int x = 1u; x < width - 5u; x += 4u)
for (unsigned int lastSourceElement = 5u; lastSourceElement < width; lastSourceElement += 4u)
{
// Unpack the next block and then subtract blacklevel and apply white balance
unpack5ElementsBayerMosaicPacked10Bit(sourceRowA + 5, sourceBlockA + 4);
Expand Down

0 comments on commit f4a6204

Please sign in to comment.