BUG: Segment violation Heap corruption in rgb24toyuv420p (video.c)

I have (up to 5) Firewire cameras driving 5 vloopback devices into Motion. My program that drives the Firewire cameras converts all frames to rgb24 format. Under certain conditions of motion.conf, I got a SIGSEGV when calling "free". Relinked Motion using Electric Fence and found that in the routine "rgb24toyuv420p" the "v" pointer would walk off the end of allocated memory when loop counter was on the last horizontal line of frame. I changed one line in routine that fixes problem. Diff below.

188c188
<               if ((loop & 1) == 1)
---
>               if ((loop & 1) == 0)

I am not exactly sure if this has any effect on downstream algorithms?

Test case

Should appear with any inputs that use the rgb24 format. I just printed out the values of the "v" pointer when loop > (height - 3) to prove to myself that "v" would eventually point past the end of the array.

Environment

Motion version:	3.1.19
ffmpeg version:	0.4.9-pre1
Shared libraries:	ffmpeg, mysql
Server OS:	Suse 9.1 kernel 2.6.5-7.145-default

-- DanielLadd - 30 Mar 2005

Follow up

Thanks for your report. Will review your change and most likely implement it. Just need to walk through this function. It is new territory to me.

-- KennethLavrsen - 30 Mar 2005

Fix record

I had to understand the colour conversion code before I accepted the fix since your were not too sure yourself.

But yes your fix is correct.

The bug was introduced when the rgb2yuv420p function was optimised from 3.1.9 to 3.1.10.

I have looked at the original code and with your suggested fix the functionality becomes the same as it was in for example 3.1.8.

I have updated my sources. The fix will be in both 3.1.20_snap5 and 3.2.1_snap12.

There was a support question which I changed to a resolved bug report: BugReport2005x02x28x170109. I am sure it was the same problem.

Thanks to Daniel for the fix.

-- KennethLavrsen - 04 Apr 2005