falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
Browse Source

dnn_backend_native: Add overflow check for length calculation. 

We should not silently allocate an incorrect sized buffer.
Fixes trac issue #8718.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Guo, Yejun <yejun.guo@intel.com>
tags/n4.3.1
Reimar Döffinger Guo, Yejun 5 years ago
parent
7cbb6ee2ee
commit
1f32d8ea23
8 changed files with 23 additions and 1 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +9
    -1
      libavfilter/dnn/dnn_backend_native.c
  2. +2
    -0
      libavfilter/dnn/dnn_backend_native.h
  3. +2
    -0
      libavfilter/dnn/dnn_backend_native_layer_conv2d.c
  4. +2
    -0
      libavfilter/dnn/dnn_backend_native_layer_depth2space.c
  5. +2
    -0
      libavfilter/dnn/dnn_backend_native_layer_mathbinary.c
  6. +2
    -0
      libavfilter/dnn/dnn_backend_native_layer_mathunary.c
  7. +2
    -0
      libavfilter/dnn/dnn_backend_native_layer_maximum.c
  8. +2
    -0
      libavfilter/dnn/dnn_backend_native_layer_pad.c

+ 9
- 1
libavfilter/dnn/dnn_backend_native.c View File

@@ -79,6 +79,8 @@ static DNNReturnType set_input_output_native(void *model, DNNData *input, const

av_freep(&oprd->data);
oprd->length = calculate_operand_data_length(oprd);
if (oprd->length <= 0)
return DNN_ERROR;
oprd->data = av_malloc(oprd->length);
if (!oprd->data)
return DNN_ERROR;
@@ -295,7 +297,13 @@ int32_t calculate_operand_dims_count(const DnnOperand *oprd)
int32_t calculate_operand_data_length(const DnnOperand* oprd)
{
// currently, we just support DNN_FLOAT
return oprd->dims[0] * oprd->dims[1] * oprd->dims[2] * oprd->dims[3] * sizeof(float);
uint64_t len = sizeof(float);
for (int i = 0; i < 4; i++) {
len *= oprd->dims[i];
if (len > INT32_MAX)
return 0;
}
return len;
}

void ff_dnn_free_model_native(DNNModel **model)


+ 2
- 0
libavfilter/dnn/dnn_backend_native.h View File

@@ -120,6 +120,8 @@ DNNReturnType ff_dnn_execute_model_native(const DNNModel *model, DNNData *output

void ff_dnn_free_model_native(DNNModel **model);

// NOTE: User must check for error (return value <= 0) to handle
// case like integer overflow.
int32_t calculate_operand_data_length(const DnnOperand *oprd);
int32_t calculate_operand_dims_count(const DnnOperand *oprd);
#endif

+ 2
- 0
libavfilter/dnn/dnn_backend_native_layer_conv2d.c View File

@@ -113,6 +113,8 @@ int dnn_execute_layer_conv2d(DnnOperand *operands, const int32_t *input_operand_
output_operand->dims[3] = conv_params->output_num;
output_operand->data_type = operands[input_operand_index].data_type;
output_operand->length = calculate_operand_data_length(output_operand);
if (output_operand->length <= 0)
return -1;
output_operand->data = av_realloc(output_operand->data, output_operand->length);
if (!output_operand->data)
return -1;


+ 2
- 0
libavfilter/dnn/dnn_backend_native_layer_depth2space.c View File

@@ -75,6 +75,8 @@ int dnn_execute_layer_depth2space(DnnOperand *operands, const int32_t *input_ope
output_operand->dims[3] = new_channels;
output_operand->data_type = operands[input_operand_index].data_type;
output_operand->length = calculate_operand_data_length(output_operand);
if (output_operand->length <= 0)
return -1;
output_operand->data = av_realloc(output_operand->data, output_operand->length);
if (!output_operand->data)
return -1;


+ 2
- 0
libavfilter/dnn/dnn_backend_native_layer_mathbinary.c View File

@@ -91,6 +91,8 @@ int dnn_execute_layer_math_binary(DnnOperand *operands, const int32_t *input_ope

output->data_type = input->data_type;
output->length = calculate_operand_data_length(output);
if (output->length <= 0)
return DNN_ERROR;
output->data = av_realloc(output->data, output->length);
if (!output->data)
return DNN_ERROR;


+ 2
- 0
libavfilter/dnn/dnn_backend_native_layer_mathunary.c View File

@@ -65,6 +65,8 @@ int dnn_execute_layer_math_unary(DnnOperand *operands, const int32_t *input_oper

output->data_type = input->data_type;
output->length = calculate_operand_data_length(output);
if (output->length <= 0)
return DNN_ERROR;
output->data = av_realloc(output->data, output->length);
if (!output->data)
return DNN_ERROR;


+ 2
- 0
libavfilter/dnn/dnn_backend_native_layer_maximum.c View File

@@ -64,6 +64,8 @@ int dnn_execute_layer_maximum(DnnOperand *operands, const int32_t *input_operand

output->data_type = input->data_type;
output->length = calculate_operand_data_length(output);
if (output->length <= 0)
return DNN_ERROR;
output->data = av_realloc(output->data, output->length);
if (!output->data)
return DNN_ERROR;


+ 2
- 0
libavfilter/dnn/dnn_backend_native_layer_pad.c View File

@@ -111,6 +111,8 @@ int dnn_execute_layer_pad(DnnOperand *operands, const int32_t *input_operand_ind
output_operand->dims[3] = new_channel;
output_operand->data_type = operands[input_operand_index].data_type;
output_operand->length = calculate_operand_data_length(output_operand);
if (output_operand->length <= 0)
return -1;
output_operand->data = av_realloc(output_operand->data, output_operand->length);
if (!output_operand->data)
return -1;


Write Preview
Loading…
Cancel
Save