The equalities in the w{r,g,b} range checks make sure longest is never
0. Even if the alpha ended up being selected in get_next_color() it
would cause underread memory accesses in its caller (colormap_insert).
---
 libavfilter/vf_paletteuse.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/libavfilter/vf_paletteuse.c b/libavfilter/vf_paletteuse.c
index f43f077454..8954a02524 100644
--- a/libavfilter/vf_paletteuse.c
+++ b/libavfilter/vf_paletteuse.c
@@ -211,7 +211,7 @@ static void colormap_nearest_node(const struct color_node 
*map,
                                   struct nearest_color *nearest)
 {
     const struct color_node *kd = map + node_pos;
-    const int shift = (3 - kd->split) * 8;
+    const int shift = (2 - kd->split) * 8;
     int dx, nearer_kd_id, further_kd_id;
     const uint32_t current = kd->val;
     const int current_to_target = diff(target, current, trans_thresh);
@@ -270,7 +270,7 @@ static av_always_inline uint8_t 
colormap_nearest_iterative(const struct color_no
 
         /* Check if it's not a leaf */
         if (kd->left_id != -1 || kd->right_id != -1) {
-            const int shift = (3 - kd->split) * 8;
+            const int shift = (2 - kd->split) * 8;
             const int dx = (target>>shift & 0xff) - (current>>shift & 0xff);
             int nearer_kd_id, further_kd_id;
 
@@ -497,7 +497,7 @@ static void disp_node(AVBPrint *buf,
     const uint32_t fontcolor = (node->val>>16 & 0xff) > 0x50 &&
                                (node->val>> 8 & 0xff) > 0x50 &&
                                (node->val     & 0xff) > 0x50 ? 0 : 0xffffff;
-    const int rgb_comp = node->split - 1;
+    const int rgb_comp = node->split;
     av_bprintf(buf, "%*cnode%d ["
                "label=\"%c%02X%c%02X%c%02X%c\" "
                "fillcolor=\"#%06"PRIX32"\" "
@@ -588,16 +588,15 @@ static int cmp_##name(const void *pa, const void *pb)   \
 {                                                       \
     const struct color *a = pa;                         \
     const struct color *b = pb;                         \
-    return   (int)(a->value >> (8 * (3 - (pos))) & 0xff)     \
-           - (int)(b->value >> (8 * (3 - (pos))) & 0xff);    \
+    return   (int)(a->value >> (8 * (2 - (pos))) & 0xff)     \
+           - (int)(b->value >> (8 * (2 - (pos))) & 0xff);    \
 }
 
-DECLARE_CMP_FUNC(a, 0)
-DECLARE_CMP_FUNC(r, 1)
-DECLARE_CMP_FUNC(g, 2)
-DECLARE_CMP_FUNC(b, 3)
+DECLARE_CMP_FUNC(r, 0)
+DECLARE_CMP_FUNC(g, 1)
+DECLARE_CMP_FUNC(b, 2)
 
-static const cmp_func cmp_funcs[] = {cmp_a, cmp_r, cmp_g, cmp_b};
+static const cmp_func cmp_funcs[] = {cmp_r, cmp_g, cmp_b};
 
 static int get_next_color(const uint8_t *color_used, const uint32_t *palette,
                           const int trans_thresh,
@@ -650,9 +649,9 @@ static int get_next_color(const uint8_t *color_used, const 
uint32_t *palette,
     wr = ranges.max[0] - ranges.min[0];
     wg = ranges.max[1] - ranges.min[1];
     wb = ranges.max[2] - ranges.min[2];
-    if (wr >= wg && wr >= wb) longest = 1;
-    if (wg >= wr && wg >= wb) longest = 2;
-    if (wb >= wr && wb >= wg) longest = 3;
+    if (wr >= wg && wr >= wb) longest = 0;
+    if (wg >= wr && wg >= wb) longest = 1;
+    if (wb >= wr && wb >= wg) longest = 2;
     cmpf = cmp_funcs[longest];
     *component = longest;
 
@@ -692,13 +691,13 @@ static int colormap_insert(struct color_node *map,
 
     /* get the two boxes this node creates */
     box1 = box2 = *box;
-    comp_value = node->val >> ((3 - component) * 8) & 0xff;
-    box1.max[component-1] = comp_value;
-    box2.min[component-1] = FFMIN(comp_value + 1, 255);
+    comp_value = node->val >> ((2 - component) * 8) & 0xff;
+    box1.max[component] = comp_value;
+    box2.min[component] = FFMIN(comp_value + 1, 255);
 
     node_left_id = colormap_insert(map, color_used, nb_used, palette, 
trans_thresh, &box1);
 
-    if (box2.min[component-1] <= box2.max[component-1])
+    if (box2.min[component] <= box2.max[component])
         node_right_id = colormap_insert(map, color_used, nb_used, palette, 
trans_thresh, &box2);
 
     node->left_id  = node_left_id;
-- 
2.38.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to