The branch, release/8.0 has been updated
via 27def36203af5cc573eca3405cfefdc7bf5f3051 (commit)
via 6777ab8e8891955efa04b91131c97b2418e4cc76 (commit)
via 0831f98933536fcd919e6a8fe5138d2d32e96f1f (commit)
via 719171a375ae8c1199b3a8bf951d8576088c6036 (commit)
via 6157fafd8afc54bd7ce5084c9a49aa7265205099 (commit)
via 6a1bb9c09fae6f4c88de2dfb9a4359a0dfb06ac8 (commit)
via 58efabb076ee6fd543bd84d07c49f03e62b16cdb (commit)
via b833558b760444ee86d53916bd7eba179df158d2 (commit)
via c1b57e21024f51cc0f48af1174338906350cbca3 (commit)
via cfc6fe640093e7ddefc9a248309991b07c627787 (commit)
via 915272f5c7ebfc8084d3c301f1ee9dfc8d97bb51 (commit)
via 5a6e2b0ab1bbc5a85a9575af8e4d67b4f0ed3d14 (commit)
via a048a8055410e07a09a274ca01ad9617c0ae4fc0 (commit)
via 68e61becf981be23feeba746520c6db79f18a80e (commit)
via bc680e230c38e8487da59c8b6939f4cb4296af89 (commit)
via 89c5d8bdabc4f7468f983ba4318c2bc9147dfb95 (commit)
via bb680a9d5398c3f6ad05b2605049e3b563e05e1e (commit)
via dd062bfaf3ada3b95f55f4d82d1dde440de4e17d (commit)
via a130ed479b749da9ce5f720d21be4b58ed9d93af (commit)
via 8b42ed314af97390cd3269ecfcff79366acb9290 (commit)
via 67ed7fddacc05e6bf73640c1874ca75495678201 (commit)
via 71ecb3d626e3ccc7745c44c74b34434914abb7d9 (commit)
via dcf7f9b70cf1354c09855de104fac19be26ab03e (commit)
via 716cf25eb8616e8e068a7c2a5d23ae107bd117b4 (commit)
via aad0a7d8f610fc89aa470f51404e2ba4975be442 (commit)
via 1cac745f2dbad423e2087e96cf4b10f4ff082165 (commit)
via ac0a59de516aa0ec2d9d1ee91d068ba25ffea252 (commit)
via 9f6c98a32e086ee5baf4d2bb7803adbe8753b2b3 (commit)
via a7f9caa66297525b099bcd7c6c9931f53cb2f759 (commit)
via 8674f8c3cd4eea18cb6aed4710dee46fac97f0f1 (commit)
via bb0e3e7a7c166b5cc6180fc783609255b65b6aeb (commit)
via 277384f039e8745a6c503e27ae7b51033bd2ba01 (commit)
via 4a73c79ad5dbf21d9b91ed0cfa5e5f0113632d24 (commit)
via 7d741cc3b4a1dc1ea94b90a266acc6a7cb49e78f (commit)
via 520570dbeb06377556dd92798e38d5b5fd0dbc35 (commit)
from 8e8c1f498d6878eaabf6a15c89526370d8e2394a (commit)
- Log -----------------------------------------------------------------
commit 27def36203af5cc573eca3405cfefdc7bf5f3051
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 1 01:29:32 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:03 2025 +0100
avfilter/vf_drawtext: Account for bbox text seperator
Fixes: out of array access
no test case
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit ad956ff076ea808e5d64c9ac17c1bfc1ba7d0cc0)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c
index 674e1e53c1..5d7085388e 100644
--- a/libavfilter/vf_drawtext.c
+++ b/libavfilter/vf_drawtext.c
@@ -1011,7 +1011,7 @@ static av_cold int init(AVFilterContext *ctx)
av_log(ctx, AV_LOG_WARNING, "Multiple texts provided, will use
text_source only\n");
av_free(s->text);
}
- s->text = av_mallocz(AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE *
+ s->text = av_mallocz((AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE + 1) *
(AV_NUM_DETECTION_BBOX_CLASSIFY + 1));
if (!s->text)
return AVERROR(ENOMEM);
commit 6777ab8e8891955efa04b91131c97b2418e4cc76
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 23:31:40 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:03 2025 +0100
avcodec/mediacodecdec_common: Check that the input to
mediacodec_wrap_sw_audio_buffer() contains channel * sample_size
Fixes: out of array access
no testcase
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 41a9c6ec5f75d8737da3e38223b8c4e923703401)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mediacodecdec_common.c
b/libavcodec/mediacodecdec_common.c
index ae336ab835..9b91c8edf5 100644
--- a/libavcodec/mediacodecdec_common.c
+++ b/libavcodec/mediacodecdec_common.c
@@ -385,6 +385,12 @@ static int mediacodec_wrap_sw_audio_buffer(AVCodecContext
*avctx,
goto done;
}
+ if (info->size % (sample_size * avctx->ch_layout.nb_channels)) {
+ av_log(avctx, AV_LOG_ERROR, "input is not a multiple of channels *
sample_size\n");
+ ret = AVERROR(EINVAL);
+ goto done;
+ }
+
frame->format = avctx->sample_fmt;
frame->sample_rate = avctx->sample_rate;
frame->nb_samples = info->size / (sample_size *
avctx->ch_layout.nb_channels);
commit 0831f98933536fcd919e6a8fe5138d2d32e96f1f
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Nov 9 16:03:32 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:02 2025 +0100
avcodec/rv60dec: Clear blk_info
Fixes: use of uninitialized memory
Fixes:
418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 729d0379ab6acb48d55c11ec9bb1b917e94765d6)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index e471049a16..928312ad31 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -309,6 +309,7 @@ static int update_dimensions_clear_info(RV60Context *s, int
width, int height)
return ret;
memset(s->pu_info, 0, s->pu_stride * (s->cu_height << 3) *
sizeof(s->pu_info[0]));
+ memset(s->blk_info, 0, s->blk_stride * (s->cu_height << 4) *
sizeof(s->blk_info[0]));
for (int j = 0; j < s->cu_height << 4; j++)
for (int i = 0; i < s->cu_width << 4; i++)
commit 719171a375ae8c1199b3a8bf951d8576088c6036
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 18:00:11 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:02 2025 +0100
avformat/whip: Fix rtp_ctx->streams access
Fixes: out of array access
No testcase
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c199b3d48ffa29519a3bd8fb47b31bf6ba6a242f)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/whip.c b/libavformat/whip.c
index 256ea14d2c..3bc485f993 100644
--- a/libavformat/whip.c
+++ b/libavformat/whip.c
@@ -1541,8 +1541,8 @@ static int create_rtp_muxer(AVFormatContext *s)
* therefore, we deactivate the extradata detection for the RTP muxer.
*/
if (s->streams[i]->codecpar->codec_id == AV_CODEC_ID_H264) {
- av_freep(&rtp_ctx->streams[i]->codecpar->extradata);
- rtp_ctx->streams[i]->codecpar->extradata_size = 0;
+ av_freep(&rtp_ctx->streams[0]->codecpar->extradata);
+ rtp_ctx->streams[0]->codecpar->extradata_size = 0;
}
buffer = av_malloc(buffer_size);
commit 6157fafd8afc54bd7ce5084c9a49aa7265205099
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 23:22:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:02 2025 +0100
avcodec/utvideodec: Set B for the width= 1 case in
restore_median_planar_il()
Fixes: use of uninitialized memory
Fixes:
439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 59db32b433ea9e7766ec7fac994860ed15d7ed7d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index bc02ac44d5..098706b705 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -457,7 +457,7 @@ static void restore_median_planar_il(UtvideoContext *c,
uint8_t *src, ptrdiff_t
// second line - first element has top prediction, the rest uses median
C = bsrc[-stride2];
bsrc[0] += C;
- A = bsrc[0];
+ A = B = bsrc[0];
for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need
align 16) */
B = bsrc[i - stride2];
bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
commit 6a1bb9c09fae6f4c88de2dfb9a4359a0dfb06ac8
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Jul 13 01:34:17 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:02 2025 +0100
avcodec/osq: Fix 32bit sample overflow
Fixes: signed integer overflow: 2147483565 + 128 cannot be represented in
type 'int'
Fixes:
428055715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6358069900804096
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 08816b93760f43433a07e980fa9eeab4135de78c)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index 76090aa8d0..1d99ab3245 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -390,7 +390,7 @@ static int osq_decode_block(AVCodecContext *avctx, AVFrame
*frame)
int32_t *src = s->decode_buffer[ch] + OFFSET;
for (int n = 0; n < nb_samples; n++)
- dst[n] = av_clip_uint8(src[n] + 0x80);
+ dst[n] = av_clip_uint8(src[n] + 0x80ll);
}
break;
case AV_SAMPLE_FMT_S16P:
commit 58efabb076ee6fd543bd84d07c49f03e62b16cdb
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:27:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:02 2025 +0100
avformat/rtpdec_rfc4175: Only change PayloadContext on success
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c03e49dd1d8ee2dd21c24002dfac95644c830498)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 4ad69500aa..b49fc55d2d 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -23,6 +23,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
#include "libavutil/imgutils.h"
#include "libavutil/mem.h"
@@ -173,33 +174,39 @@ static int rfc4175_parse_fmtp(AVFormatContext *s,
AVStream *stream,
}
static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
- PayloadContext *data, const char *line)
+ PayloadContext *data_arg, const char *line)
{
const char *p;
if (st_index < 0)
return 0;
+ av_assert0(!data_arg->sampling);
+
if (av_strstart(line, "fmtp:", &p)) {
AVStream *stream = s->streams[st_index];
+ PayloadContext data0 = *data_arg, *data = &data0;
int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
+ if (!data->sampling || !data->depth || !data->width || !data->height)
+ ret = AVERROR(EINVAL);
+
if (ret < 0)
- return ret;
+ goto fail;
ret = av_image_check_size(data->width, data->height, 0, s);
if (ret < 0)
- return ret;
-
- if (!data->sampling || !data->depth || !data->width || !data->height)
- return AVERROR(EINVAL);
+ goto fail;
stream->codecpar->width = data->width;
stream->codecpar->height = data->height;
ret = rfc4175_parse_format(stream, data);
av_freep(&data->sampling);
-
+ if (ret >= 0)
+ *data_arg = *data;
+fail:
+ av_freep(&data->sampling);
return ret;
}
commit b833558b760444ee86d53916bd7eba179df158d2
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:28:49 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:01 2025 +0100
avformat/rtpdec_rfc4175: Check dimensions
Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index c41e4f19e0..4ad69500aa 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -24,6 +24,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
#include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
#include "libavutil/mem.h"
#include "libavutil/pixdesc.h"
#include "libavutil/parseutils.h"
@@ -186,6 +187,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int
st_index,
if (ret < 0)
return ret;
+ ret = av_image_check_size(data->width, data->height, 0, s);
+ if (ret < 0)
+ return ret;
if (!data->sampling || !data->depth || !data->width || !data->height)
return AVERROR(EINVAL);
@@ -296,6 +300,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
if (data->interlaced)
line = 2 * line + field;
+ if (line >= data->height)
+ return AVERROR_INVALIDDATA;
+
/* prevent ill-formed packets to write after buffer's end */
copy_offset = (line * data->width + offset) * data->pgroup /
data->xinc;
if (copy_offset + length > data->frame_size || !data->frame)
commit c1b57e21024f51cc0f48af1174338906350cbca3
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:17:27 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:01 2025 +0100
avformat/rtpdec_rfc4175: Fix memleak of sampling
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit af3dee313223c722c34e8231cd6859188928a6e3)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index d6260ab69e..c41e4f19e0 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -128,7 +128,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream
*stream,
data->width = atoi(value);
else if (!strncmp(attr, "height", 6))
data->height = atoi(value);
- else if (!strncmp(attr, "sampling", 8))
+ else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
data->sampling = av_strdup(value);
else if (!strncmp(attr, "depth", 5))
data->depth = atoi(value);
commit cfc6fe640093e7ddefc9a248309991b07c627787
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 17:32:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:01 2025 +0100
avformat/http: Fix off by 1 error
Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte
Found-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit b518c027a0cb8d89c586fe241cc99b1c20bc0f50)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/http.c b/libavformat/http.c
index 49d750b512..c4e6292a95 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -1875,7 +1875,7 @@ static int store_icy(URLContext *h, int size)
ret = http_read_stream_all(h, data, len);
if (ret < 0)
return ret;
- data[len + 1] = 0;
+ data[len] = 0;
if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0)
return ret;
update_metadata(h, data);
commit 915272f5c7ebfc8084d3c301f1ee9dfc8d97bb51
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 01:17:46 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:01 2025 +0100
avcodec/exr: spelling
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d80f8f36513ebff05c537adbe756e36036f80074)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index e85f61b1b9..8143fe0921 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -176,7 +176,7 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
#define M(chr) (1<<chr - 'A')
- int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+ int has_channel; ///< combination of flags representing the channel codes
A-Z
GetByteContext gb;
const uint8_t *buf;
commit 5a6e2b0ab1bbc5a85a9575af8e4d67b4f0ed3d14
Author: oblivionsage <[email protected]>
AuthorDate: Fri Nov 7 18:08:14 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:01 2025 +0100
avcodec/rv60dec: add upper bound check for qp
The quantization parameter (qp) can exceed 63 when the base value
from frame header (0-63) is combined with the offset from slice data
(up to +2), resulting in qp=65. This causes out-of-bounds access to
the rv60_qp_to_idx[64] array in decode_cbp8(), decode_cbp16(), and
get_c4x4_set().
Fixes: Out-of-bounds read
Signed-off-by: oblivionsage <[email protected]>
No testsample is available
This is related to 61cbcaf93f3b2e10124f4c63ce7cd8dad6505fb2 and
clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5160167345291264
which fixed rv60_qp_to_idx[qp + 32] out of array access
These 2 checks are not redundant and neither covers the cases of the other
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8abeb879df66ea8d27ce1735925ced5a30813de4)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 208fbc68f7..e471049a16 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2263,7 +2263,7 @@ static int decode_slice(AVCodecContext *avctx, void
*tdata, int cu_y, int thread
ff_thread_progress_await(&s->progress[cu_y - 1], cu_x + 2);
qp = s->qp + read_qp_offset(&gb, s->qp_off_type);
- if (qp < 0) {
+ if (qp < 0 || qp >= 64) {
ret = AVERROR_INVALIDDATA;
break;
}
commit a048a8055410e07a09a274ca01ad9617c0ae4fc0
Author: veygax <[email protected]>
AuthorDate: Sun Nov 2 02:35:40 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:01 2025 +0100
avcodec/exr: use tile dimensions in pxr24 UINT case
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <[email protected]>
(cherry picked from commit 162f75b5e6798b385bb3eadd8280eff52d03cf29)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index edaf683376..e85f61b1b9 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -748,12 +748,12 @@ static int pxr24_uncompress(const EXRContext *s, const
uint8_t *src,
break;
case EXR_UINT:
ptr[0] = in;
- ptr[1] = ptr[0] + s->xdelta;
- ptr[2] = ptr[1] + s->xdelta;
- ptr[3] = ptr[2] + s->xdelta;
- in = ptr[3] + s->xdelta;
+ ptr[1] = ptr[0] + td->xsize;
+ ptr[2] = ptr[1] + td->xsize;
+ ptr[3] = ptr[2] + td->xsize;
+ in = ptr[3] + td->xsize;
- for (j = 0; j < s->xdelta; ++j) {
+ for (j = 0; j < td->xsize; ++j) {
uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
(*(ptr[1]++) << 16) |
(*(ptr[2]++) << 8 ) |
commit 68e61becf981be23feeba746520c6db79f18a80e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:20:36 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:00 2025 +0100
avcodec/exr: Simple check for available channels
The existing is_luma check is fragile as depending on the order
of channels it can be set or reset
No testcase
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 6e8cf0377fee75de9ad2cc87385ab3e8f2c87143)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 401b4f499c..edaf683376 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -175,6 +175,9 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
+#define M(chr) (1<<chr - 'A')
+ int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+
GetByteContext gb;
const uint8_t *buf;
int buf_size;
@@ -1622,6 +1625,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->is_tile = 0;
s->is_multipart = 0;
s->is_luma = 0;
+ s->has_channel = 0;
s->current_part = 0;
if (bytestream2_get_bytes_left(gb) < 10) {
@@ -1725,23 +1729,26 @@ static int decode_header(EXRContext *s, AVFrame *frame)
}
if (layer_match) { /* only search channel if the layer match
is valid */
+ if (strlen(ch_gb.buffer) == 1) {
+ int ch_chr = av_toupper(*ch_gb.buffer);
+ if (ch_chr >= 'A' && ch_chr <= 'Z')
+ s->has_channel |= M(ch_chr);
+ av_log(s->avctx, AV_LOG_DEBUG, "%c\n", ch_chr);
+ }
+
if (!av_strcasecmp(ch_gb.buffer, "R") ||
!av_strcasecmp(ch_gb.buffer, "X") ||
!av_strcasecmp(ch_gb.buffer, "U")) {
channel_index = 0;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "G") ||
!av_strcasecmp(ch_gb.buffer, "V")) {
channel_index = 1;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "Y")) {
channel_index = 1;
- s->is_luma = 1;
} else if (!av_strcasecmp(ch_gb.buffer, "B") ||
!av_strcasecmp(ch_gb.buffer, "Z") ||
!av_strcasecmp(ch_gb.buffer, "W")) {
channel_index = 2;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "A")) {
channel_index = 3;
} else {
@@ -1817,6 +1824,20 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->current_channel_offset += 4;
}
}
+ if (!((M('R') + M('G') + M('B')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') ) & ~s->has_channel) &&
+ !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X')
+ M('Z')) & s->has_channel)) {
+ s->is_luma = 1;
+ } else {
+ avpriv_request_sample(s->avctx, "Uncommon channel
combination");
+ ret = AVERROR(AVERROR_PATCHWELCOME);
+ goto fail;
+ }
/* Check if all channels are set with an offset or if the channels
* are causing an overflow */
commit bc680e230c38e8487da59c8b6939f4cb4296af89
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 23:08:45 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:00 2025 +0100
avformat/sctp: Check size in sctp_write()
Fixes: out of array access
No testcase
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 5b98cea4bff2cbbb251b621a2b6c3ab76f814efa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/sctp.c b/libavformat/sctp.c
index 9d9e90097e..f39ba7ebe0 100644
--- a/libavformat/sctp.c
+++ b/libavformat/sctp.c
@@ -334,6 +334,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf,
int size)
}
if (s->max_streams) {
+ if (size < 2)
+ return AVERROR(EINVAL);
+
/*StreamId is introduced as a 2byte code into the stream*/
struct sctp_sndrcvinfo info = { 0 };
info.sinfo_stream = AV_RB16(buf);
commit 89c5d8bdabc4f7468f983ba4318c2bc9147dfb95
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:20:41 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:00 2025 +0100
avformat/rtmpproto: consider command line argument lengths
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 83e0298de217a7108ee703806d6380e554007972)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 5de3bebc62..b029c57621 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket
*pkt);
static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
+static size_t zstrlen(const char *c)
+{
+ if(c)
+ return strlen(c);
+ return 0;
+}
+
static int add_tracked_method(RTMPContext *rt, const char *name, int id)
{
int err;
@@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
int ret;
if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
- 0, 4096 + APP_MAX_LENGTH)) < 0)
+ 0, 4096 + APP_MAX_LENGTH
+ + strlen(rt->auth_params) +
strlen(rt->flashver)
+ + zstrlen(rt->enhanced_codecs)/5*7
+ + zstrlen(rt->swfurl)
+ + zstrlen(rt->swfverify)
+ + zstrlen(rt->tcurl)
+ + zstrlen(rt->auth_params)
+ + zstrlen(rt->pageurl)
+ + zstrlen(rt->conn)*3
+ )) < 0)
return ret;
p = pkt.data;
@@ -1926,7 +1942,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
RTMP_PT_INVOKE, 0,
- RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+ RTMP_PKTDATA_DEFAULT_SIZE
+ + strlen(status) + strlen(description)
+ + zstrlen(details))) < 0) {
av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
return ret;
}
commit bb680a9d5398c3f6ad05b2605049e3b563e05e1e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:05:57 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:00 2025 +0100
avformat/rtmpproto_ Check tcurl and flashver length
Fixes: out of array accesses
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit a64e037429f20873ec48f6c82aa145ab448e1399)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 4f866eb76c..5de3bebc62 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2859,6 +2859,12 @@ reconnect:
"FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
}
}
+ if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+ || strlen(rt->tcurl ) > TCURL_MAX_LENGTH
+ ) {
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
rt->receive_report_size = 1048576;
rt->bytes_read = 0;
commit dd062bfaf3ada3b95f55f4d82d1dde440de4e17d
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Oct 7 01:58:34 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:00 2025 +0100
avcodec/g723_1enc: Make min_err 64bit
This is intending to fix the case described in
https://lists.ffmpeg.org/archives/list/[email protected]/thread/AAZ7GJPPUJI5SCVTDGJ6QL7UUEP56WOM/
Where FCBParam optim is used uninitialized
a min_err of 1<<30, allows the struct to be never initilialized as all
err (which is int32_t) can be larger than min_err. By increasing min_err
above the int32_t range this is no longer possible
Untested, as i do not have the testcase
Signed-off-by: Michael Niedermayer <[email protected]>i
(cherry picked from commit 909af3a571da830cc70a34f0c3946379bd12dfbe)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h
index 521f220b2a..f3cd32e37d 100644
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@@ -108,7 +108,7 @@ typedef struct HFParam {
* Optimized fixed codebook excitation parameters
*/
typedef struct FCBParam {
- int min_err;
+ int64_t min_err;
int amp_index;
int grid_index;
int dirac_train;
diff --git a/libavcodec/g723_1enc.c b/libavcodec/g723_1enc.c
index ee5b0fe251..4fd4567a87 100644
--- a/libavcodec/g723_1enc.c
+++ b/libavcodec/g723_1enc.c
@@ -1013,7 +1013,7 @@ static void fcb_search(G723_1_ChannelContext *p, int16_t
*impulse_resp,
int pulse_cnt = pulses[index];
int i;
- optim.min_err = 1 << 30;
+ optim.min_err = 1LL << 31;
get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN);
if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) {
commit a130ed479b749da9ce5f720d21be4b58ed9d93af
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 6 12:49:49 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:05:00 2025 +0100
avcodec/vlc: Clear val8/16 in vlc_multi_gen() by av_mallocz()
Fixes: use of uninitialized memory
Fixes:
427814450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_DEC_fuzzer-646512196065689
Fixes:
445961558/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5515158672965632
the multi vlc code will otherwise return uninitialized data. Now one can
argue that this data should
not be used, but on errors this data can remain ...
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d8ffec5bf9a2803f55cc0822a97b7815f24bee83)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
index 260b2052be..93d88714f2 100644
--- a/libavcodec/vlc.c
+++ b/libavcodec/vlc.c
@@ -527,7 +527,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI
*multi, int nb_bits, int
if (ret < 0)
return ret;
- multi->table = av_malloc(sizeof(*multi->table) << nb_bits);
+ multi->table = av_mallocz(sizeof(*multi->table) << nb_bits);
if (!multi->table)
goto fail;
commit 8b42ed314af97390cd3269ecfcff79366acb9290
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 24 20:29:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:59 2025 +0100
avformat/rtpenc_h264_hevc: Check space for nal_length_size in
ff_rtp_send_h264_hevc()
Fixes: memcpy with negative size
Fixes: momo_trip-poc/input
Reported-by: Momoko Shiraishi <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d03483bd265b68db00c9b90f6f48dcf61c5c300d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpenc_h264_hevc.c b/libavformat/rtpenc_h264_hevc.c
index 4d222dca75..38d508fe8f 100644
--- a/libavformat/rtpenc_h264_hevc.c
+++ b/libavformat/rtpenc_h264_hevc.c
@@ -196,6 +196,9 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const
uint8_t *buf1, int size)
r1 = ff_nal_mp4_find_startcode(r, end, s->nal_length_size);
if (!r1)
r1 = end;
+ // Check that the last is not truncated
+ if (r1 - r < s->nal_length_size)
+ break;
r += s->nal_length_size;
} else {
while (!*(r++));
commit 67ed7fddacc05e6bf73640c1874ca75495678201
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Jul 3 20:27:15 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:59 2025 +0100
avcodec/ffv1enc: Consider variation in slice sizes
When splitting a 5 lines image in 2 slices one will be 3 lines and thus
need more space
Fixes: Assertion sc->slice_coding_mode == 0 failed at
libavcodec/ffv1enc.c:1668
Fixes:
422811239/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4933405139861504
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 388e6fb3be63f88bc62ebda35ca0fc96e99ceed5)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c
index 97b38e4d16..8e5ebe773c 100644
--- a/libavcodec/ffv1enc.c
+++ b/libavcodec/ffv1enc.c
@@ -1684,9 +1684,11 @@ size_t ff_ffv1_encode_buffer_size(AVCodecContext *avctx)
{
FFV1Context *f = avctx->priv_data;
- size_t maxsize = avctx->width*avctx->height * (1 + f->transparency);
+ int w = avctx->width + f->num_h_slices;
+ int h = avctx->height + f->num_v_slices;
+ size_t maxsize = w*h * (1 + f->transparency);
if (f->chroma_planes)
- maxsize += AV_CEIL_RSHIFT(avctx->width, f->chroma_h_shift) *
AV_CEIL_RSHIFT(f->height, f->chroma_v_shift) * 2;
+ maxsize += AV_CEIL_RSHIFT(w, f->chroma_h_shift) * AV_CEIL_RSHIFT(h,
f->chroma_v_shift) * 2;
maxsize += f->slice_count * 800; //for slice header
if (f->version > 3) {
maxsize *= f->bits_per_raw_sample + 1;
commit 71ecb3d626e3ccc7745c44c74b34434914abb7d9
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Jul 3 22:12:43 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:59 2025 +0100
libavcodec/cbs_apv_syntax_template: limit tile to 2gb
We do not support larger tiles as we use signed int
Alternatively we can check this in apv_decode_tile_component() or
init_get_bits*()
or support bitstreams above 2gb length
Fixes: init_get_bits() failure later
Fixes:
421817631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-4957386534354944
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 4666c1eed37385484c8e34998b3fe2e5c86d4e08)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/cbs_apv_syntax_template.c
b/libavcodec/cbs_apv_syntax_template.c
index 621595ffbf..cd26a4556c 100644
--- a/libavcodec/cbs_apv_syntax_template.c
+++ b/libavcodec/cbs_apv_syntax_template.c
@@ -263,7 +263,7 @@ static int FUNC(frame)(CodedBitstreamContext *ctx,
RWContext *rw,
CHECK(FUNC(frame_header)(ctx, rw, ¤t->frame_header));
for (int t = 0; t < priv->num_tiles; t++) {
- us(32, tile_size[t], 10, MAX_UINT_BITS(32), 1, t);
+ us(32, tile_size[t], 10, MAX_INT_BITS(32), 1, t);
CHECK(FUNC(tile)(ctx, rw, ¤t->tile[t],
t, current->tile_size[t]));
commit dcf7f9b70cf1354c09855de104fac19be26ab03e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Oct 13 14:46:16 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:59 2025 +0100
swscale/output: Fix unsigned cast position in yuv2*
Fixes: signed overflow
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 566e9032b1dee8ed4b8bf5faae0b1f9aa873197f)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libswscale/output.c b/libswscale/output.c
index cb6630bd73..4b3aab3109 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -503,8 +503,8 @@ static void yuv2nv12cX_c(enum AVPixelFormat dstFormat,
const uint8_t *chrDither,
int v = chrDither[(i + 3) & 7] << 12;
int j;
for (j=0; j<chrFilterSize; j++) {
- u += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- v += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ u += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ v += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
dest[2*i]= av_clip_uint8(u>>19);
@@ -516,8 +516,8 @@ static void yuv2nv12cX_c(enum AVPixelFormat dstFormat,
const uint8_t *chrDither,
int v = chrDither[(i + 3) & 7] << 12;
int j;
for (j=0; j<chrFilterSize; j++) {
- u += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- v += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ u += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ v += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
dest[2*i]= av_clip_uint8(v>>19);
@@ -577,8 +577,8 @@ static void yuv2p01xcX_c(int big_endian, const uint8_t
*chrDither,
int v = 1 << (shift - 1);
for (j = 0; j < chrFilterSize; j++) {
- u += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- v += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ u += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ v += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
output_pixel(&dest[2*i] , u);
@@ -678,8 +678,8 @@ yuv2mono_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
int Y2 = 1 << 18;
for (j = 0; j < lumFilterSize; j++) {
- Y1 += (unsigned)(lumSrc[j][i] * lumFilter[j]);
- Y2 += (unsigned)(lumSrc[j][i+1] * lumFilter[j]);
+ Y1 += lumSrc[j][i] * (unsigned)lumFilter[j];
+ Y2 += lumSrc[j][i+1] * (unsigned)lumFilter[j];
}
Y1 >>= 19;
Y2 >>= 19;
@@ -896,12 +896,12 @@ yuv2422_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
int V = 1 << 18;
for (j = 0; j < lumFilterSize; j++) {
- Y1 += (unsigned)(lumSrc[j][i * 2] * lumFilter[j]);
- Y2 += (unsigned)(lumSrc[j][i * 2 + 1] * lumFilter[j]);
+ Y1 += lumSrc[j][i * 2] * (unsigned)lumFilter[j];
+ Y2 += lumSrc[j][i * 2 + 1] * (unsigned)lumFilter[j];
}
for (j = 0; j < chrFilterSize; j++) {
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
Y1 >>= 19;
Y2 >>= 19;
@@ -1802,12 +1802,12 @@ yuv2rgb_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
const void *r, *g, *b;
for (j = 0; j < lumFilterSize; j++) {
- Y1 += (unsigned)(lumSrc[j][i * 2] * lumFilter[j]);
- Y2 += (unsigned)(lumSrc[j][i * 2 + 1] * lumFilter[j]);
+ Y1 += lumSrc[j][i * 2] * (unsigned)lumFilter[j];
+ Y2 += lumSrc[j][i * 2 + 1] * (unsigned)lumFilter[j];
}
for (j = 0; j < chrFilterSize; j++) {
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
Y1 >>= 19;
Y2 >>= 19;
@@ -1817,8 +1817,8 @@ yuv2rgb_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
A1 = 1 << 18;
A2 = 1 << 18;
for (j = 0; j < lumFilterSize; j++) {
- A1 += (unsigned)(alpSrc[j][i * 2 ] * lumFilter[j]);
- A2 += (unsigned)(alpSrc[j][i * 2 + 1] * lumFilter[j]);
+ A1 += alpSrc[j][i * 2 ] * (unsigned)lumFilter[j];
+ A2 += alpSrc[j][i * 2 + 1] * (unsigned)lumFilter[j];
}
A1 >>= 19;
A2 >>= 19;
@@ -2179,11 +2179,11 @@ yuv2rgb_full_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
int V = (1<<9)-(128 << 19);
for (j = 0; j < lumFilterSize; j++) {
- Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
}
for (j = 0; j < chrFilterSize; j++) {
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
Y >>= 10;
U >>= 10;
@@ -2191,7 +2191,7 @@ yuv2rgb_full_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
if (hasAlpha) {
A = 1 << 18;
for (j = 0; j < lumFilterSize; j++) {
- A += (unsigned)(alpSrc[j][i] * lumFilter[j]);
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
}
A >>= 19;
if (A & 0x100)
@@ -2360,11 +2360,11 @@ yuv2gbrp_full_X_c(SwsInternal *c, const int16_t
*lumFilter,
int R, G, B;
for (j = 0; j < lumFilterSize; j++)
- Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
for (j = 0; j < chrFilterSize; j++) {
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
Y >>= 10;
@@ -2375,7 +2375,7 @@ yuv2gbrp_full_X_c(SwsInternal *c, const int16_t
*lumFilter,
A = 1 << 18;
for (j = 0; j < lumFilterSize; j++)
- A += (unsigned)(alpSrc[j][i] * lumFilter[j]);
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
if (A & 0xF8000000)
A = av_clip_uintp2(A, 27);
@@ -2679,7 +2679,7 @@ yuv2ya8_X_c(SwsInternal *c, const int16_t *lumFilter,
int Y = 1 << 18, A = 1 << 18;
for (j = 0; j < lumFilterSize; j++)
- Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
Y >>= 19;
if (Y & 0x100)
@@ -2687,7 +2687,7 @@ yuv2ya8_X_c(SwsInternal *c, const int16_t *lumFilter,
if (hasAlpha) {
for (j = 0; j < lumFilterSize; j++)
- A += (unsigned)(alpSrc[j][i] * lumFilter[j]);
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
A >>= 19;
@@ -2793,11 +2793,11 @@ yuv2v30_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
int j;
for (j = 0; j < lumFilterSize; j++)
- Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
for (j = 0; j < chrFilterSize; j++) {
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
Y = av_clip_uintp2(Y >> 17, 10);
@@ -2847,11 +2847,11 @@ yuv2xv36_X_c(SwsInternal *c, const int16_t *lumFilter,
int j;
for (j = 0; j < lumFilterSize; j++)
- Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
for (j = 0; j < chrFilterSize; j++) {
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j];
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j];
}
output_pixels(dest + 8 * i + 2, Y, 15, 12, 4)
@@ -3011,13 +3011,13 @@ yuv2ayuv_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
int V = 1 << 18, A = 255;
for (j = 0; j < lumFilterSize; j++)
- Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
for (j = 0; j < chrFilterSize; j++)
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j];
for (j = 0; j < chrFilterSize; j++)
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j];
Y >>= 19;
U >>= 19;
@@ -3034,7 +3034,7 @@ yuv2ayuv_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
A = 1 << 18;
for (j = 0; j < lumFilterSize; j++)
- A += (unsigned)(alpSrc[j][i] * lumFilter[j]);
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
A >>= 19;
@@ -3105,13 +3105,13 @@ AYUVPACKEDWRAPPER(uyva, AV_PIX_FMT_UYVA)
int U = 1 << (shift - 1), V = 1 << (shift - 1); \
\
for (j = 0; j < lumFilterSize; j++) { \
- Y1 += (unsigned)(lumSrc[j][i * 2] * lumFilter[j]);
\
- Y2 += (unsigned)(lumSrc[j][i * 2 + 1] * lumFilter[j]);
\
+ Y1 += lumSrc[j][i * 2] * (unsigned)lumFilter[j]; \
+ Y2 += lumSrc[j][i * 2 + 1] * (unsigned)lumFilter[j]; \
} \
\
for (j = 0; j < chrFilterSize; j++) { \
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
\
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
\
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j]; \
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j]; \
} \
\
output_pixel(dest + 8 * i + 0, Y1, bits); \
@@ -3259,13 +3259,13 @@ yuv2vyu444_X_c(SwsInternal *c, const int16_t *lumFilter,
int V = 1 << 18;
for (j = 0; j < lumFilterSize; j++)
- Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
for (j = 0; j < chrFilterSize; j++)
- U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
+ U += chrUSrc[j][i] * (unsigned)chrFilter[j];
for (j = 0; j < chrFilterSize; j++)
- V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+ V += chrVSrc[j][i] * (unsigned)chrFilter[j];
Y >>= 19;
U >>= 19;
commit 716cf25eb8616e8e068a7c2a5d23ae107bd117b4
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Oct 13 14:32:45 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:59 2025 +0100
swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
Found-by: colod colod <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libswscale/output.c b/libswscale/output.c
index b873276c00..cb6630bd73 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1028,7 +1028,7 @@ yuv2ya16_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
int A = 0xffff;
for (j = 0; j < lumFilterSize; j++)
- Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
Y >>= 15;
Y += (1<<3) + 0x8000;
@@ -1037,7 +1037,7 @@ yuv2ya16_X_c_template(SwsInternal *c, const int16_t
*lumFilter,
if (hasAlpha) {
A = -0x40000000 + (1<<14);
for (j = 0; j < lumFilterSize; j++)
- A += (unsigned)(alpSrc[j][i] * lumFilter[j]);
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
A >>= 15;
A += 0x8000;
commit aad0a7d8f610fc89aa470f51404e2ba4975be442
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:18:30 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:58 2025 +0100
avcodec/exr: Check that DWA has 3 channels
The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 7896cc67c13037abba8941e39a74c56d26b775a7)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 81c0026507..401b4f499c 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1005,6 +1005,11 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
if (version != 2)
return AVERROR_INVALIDDATA;
+ if (s->nb_channels < 3) {
+ avpriv_request_sample(s->avctx, "Gray DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+
lo_usize = AV_RL64(src + 8);
lo_size = AV_RL64(src + 16);
ac_size = AV_RL64(src + 24);
commit 1cac745f2dbad423e2087e96cf4b10f4ff082165
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 17:32:46 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:58 2025 +0100
avcodec/exr: check ac_size
Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr
The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8e078826da6f2a1dffa25162121b43b272f5e5fa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 151db2e263..81c0026507 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1021,6 +1021,11 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
)
return AVERROR_INVALIDDATA;
+ if (ac_size <= 0) {
+ avpriv_request_sample(s->avctx, "Zero ac_size");
+ return AVERROR_INVALIDDATA;
+ }
+
if ((uint64_t)rle_raw_size > INT_MAX) {
avpriv_request_sample(s->avctx, "Too big rle_raw_size");
return AVERROR_INVALIDDATA;
commit ac0a59de516aa0ec2d9d1ee91d068ba25ffea252
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 21:28:04 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:58 2025 +0100
avcodec/exr: Round dc_w/h up
Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file
Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c911e0001115bbda904ad103b12c27b9a3c0c265)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 67f971ff35..151db2e263 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -992,8 +992,8 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
int64_t version, lo_usize, lo_size;
int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
int64_t ac_count, dc_count, ac_compression;
- const int dc_w = td->xsize >> 3;
- const int dc_h = td->ysize >> 3;
+ const int dc_w = (td->xsize + 7) >> 3;
+ const int dc_h = (td->ysize + 7) >> 3;
GetByteContext gb, agb;
int skip, ret;
int have_rle = 0;
@@ -1026,6 +1026,10 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
return AVERROR_INVALIDDATA;
}
+ if (td->xsize % 8 || td->ysize % 8) {
+ avpriv_request_sample(s->avctx, "odd dimensions DWA");
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
commit 9f6c98a32e086ee5baf4d2bb7803adbe8753b2b3
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 11 20:12:55 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:58 2025 +0100
avcodec/mjpegdec: Explain buf_size/width/height check
Suggested-by: Ramiro
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 61b6877637041a1f817ad9811c839b0feae2b8af)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 858b5be1af..7633b2539b 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -343,6 +343,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
if (av_image_check_size(width, height, 0, s->avctx) < 0)
return AVERROR_INVALIDDATA;
+
+ // A valid frame requires at least 1 bit for DC + 1 bit for AC for each
8x8 block.
if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size *
4LL)
return AVERROR_INVALIDDATA;
commit a7f9caa66297525b099bcd7c6c9931f53cb2f759
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Sep 21 16:49:45 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:58 2025 +0100
configure: strip non numeric trailer from gcc version
Fixes: ../configure: 7820: [: Illegal number: 13-win32
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit b1cbc7c8ff515159130bc4290ef6ab204e7101e8)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/configure b/configure
index 1dc9a87909..a0eed36abf 100755
--- a/configure
+++ b/configure
@@ -7758,7 +7758,7 @@ if enabled icc; then
fi
elif enabled gcc; then
gcc_version=$($cc -dumpversion)
- major_version=${gcc_version%%.*}
+ major_version=${gcc_version%%[!0-9]*}
if [ $major_version -lt 13 ]; then
# Disable tree-vectorize for GCC <13 - it has historically been buggy.
check_optflags -fno-tree-vectorize
commit 8674f8c3cd4eea18cb6aed4710dee46fac97f0f1
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Sep 20 01:25:51 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:58 2025 +0100
avformat/dhav: Fix off by length of read element error
Fixes: out of array read
Fixes: BIGSLEEP-445383648
Fixes: crash_input_1/2/3.dhav
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 55e71768cf7d9cb395187be0cf38e97b9c454ea1)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/dhav.c b/libavformat/dhav.c
index 21c9c530d6..b3fa612ab3 100644
--- a/libavformat/dhav.c
+++ b/libavformat/dhav.c
@@ -251,7 +251,7 @@ static int64_t get_duration(AVFormatContext *s)
unsigned date;
int64_t size = avio_size(s->pb);
- if (start_pos + 16 > size)
+ if (start_pos + 20 > size)
return 0;
avio_skip(s->pb, 16);
@@ -279,7 +279,7 @@ static int64_t get_duration(AVFormatContext *s)
}
}
- if (pos < buffer_pos || pos + 16 > buffer_pos + buffer_size)
+ if (pos < buffer_pos || pos + 20 > buffer_pos + buffer_size)
goto fail;
date = AV_RL32(buffer + (pos - buffer_pos) + 16);
commit bb0e3e7a7c166b5cc6180fc783609255b65b6aeb
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Fri Jul 11 22:58:26 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:57 2025 +0100
avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).
Fixes ticket #11233.
Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 987c955cd7e972d9940284fa6ae7187ac858ebb1)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 6a74c1ce68..9041280e77 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -308,7 +308,7 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int
whence)
ctx->seek_count++;
if (!s->write_flag)
s->buf_end = s->buffer;
- s->buf_ptr = s->buf_ptr_max = s->buffer;
+ s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer;
s->pos = offset;
}
s->eof_reached = 0;
commit 277384f039e8745a6c503e27ae7b51033bd2ba01
Author: Zhao Zhili <[email protected]>
AuthorDate: Tue Sep 2 18:04:11 2025 +0800
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:57 2025 +0100
doc/examples/vaapi_encode: fix invalid check on fwrite
enc_pkt->size is 0 after av_packet_unref, which makes the check invalid.
Fix regression from 3e4bfff2.
Co-Authored-by: Jin Bo <[email protected]>
Signed-off-by: Zhao Zhili <[email protected]>
(cherry picked from commit 09856e4e483f14125d38e5c84e908f623bb1a888)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/doc/examples/vaapi_encode.c b/doc/examples/vaapi_encode.c
index ff3ebb1e2b..330a6524ef 100644
--- a/doc/examples/vaapi_encode.c
+++ b/doc/examples/vaapi_encode.c
@@ -88,7 +88,7 @@ static int encode_write(AVCodecContext *avctx, AVFrame
*frame, FILE *fout)
enc_pkt->stream_index = 0;
ret = fwrite(enc_pkt->data, enc_pkt->size, 1, fout);
av_packet_unref(enc_pkt);
- if (ret != enc_pkt->size) {
+ if (!ret) {
ret = AVERROR(errno);
break;
}
commit 4a73c79ad5dbf21d9b91ed0cfa5e5f0113632d24
Author: Andrey Semashev <[email protected]>
AuthorDate: Tue Sep 2 01:07:05 2025 +0300
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:57 2025 +0100
avcodec/librsvgdec: fix compilation with librsvg 2.50.3
This fixes compilation with librsvg 2.50.3: error: viewport undeclared
This was a regression since commit
86ed68420d3b60439d0b7767c53d0fdc1deb7277.
Fixes #10722.
Reviewed-by: Leo Izen <[email protected]>
(cherry picked from commit 9ee7796c540ce9cec3fdff0dd246de842228707b)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/librsvgdec.c b/libavcodec/librsvgdec.c
index c328fbc774..f0566eb5d8 100644
--- a/libavcodec/librsvgdec.c
+++ b/libavcodec/librsvgdec.c
@@ -90,8 +90,6 @@ static int librsvg_decode_frame(AVCodecContext *avctx,
AVFrame *frame,
goto end;
avctx->pix_fmt = AV_PIX_FMT_RGB32;
- viewport.width = dimensions.width;
- viewport.height = dimensions.height;
ret = ff_get_buffer(avctx, frame, 0);
if (ret < 0)
@@ -116,6 +114,8 @@ static int librsvg_decode_frame(AVCodecContext *avctx,
AVFrame *frame,
cairo_restore(crender);
#if LIBRSVG_MAJOR_VERSION > 2 || LIBRSVG_MAJOR_VERSION == 2 &&
LIBRSVG_MINOR_VERSION >= 52
+ viewport.width = dimensions.width;
+ viewport.height = dimensions.height;
gret = rsvg_handle_render_document(handle, crender, &viewport, &error);
#else
cairo_scale(crender, dimensions.width / (double)unscaled_dimensions.width,
commit 7d741cc3b4a1dc1ea94b90a266acc6a7cb49e78f
Author: Cameron Gutman <[email protected]>
AuthorDate: Sun Aug 10 16:11:55 2025 -0500
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:57 2025 +0100
avcodec/mfenc: fix memory leak with D3D11 input surfaces
Fixes: d56522c6eb75 ("avcodec/mfenc: add support for D3D11 input surfaces")
Signed-off-by: Cameron Gutman <[email protected]>
(cherry picked from commit b2910ec92ef0f12f2cee56be331f8ae234ead4a4)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mfenc.c b/libavcodec/mfenc.c
index 30531fe3e8..949ee684e4 100644
--- a/libavcodec/mfenc.c
+++ b/libavcodec/mfenc.c
@@ -1356,6 +1356,9 @@ static int mf_close(AVCodecContext *avctx)
if (c->async_events)
IMFMediaEventGenerator_Release(c->async_events);
+ if (c->dxgiManager)
+ IMFDXGIDeviceManager_Release(c->dxgiManager);
+
#if !HAVE_UWP
if (c->library)
ff_free_mf(&c->functions, &c->mft);
commit 520570dbeb06377556dd92798e38d5b5fd0dbc35
Author: Niklas Haas <[email protected]>
AuthorDate: Wed Aug 27 12:14:45 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 02:04:57 2025 +0100
swscale/graph: fix double-free when legacy pass fails initializing
If this function returns an error after ff_sws_graph_add_pass() has been
called, and the pass->free callback is therefore already set up to free the
context, the graph will end up freed twice: once by the pass->free callback
(during ff_sws_graph_free()), and once before that by failure path of the
caller (e.g. add_legacy_sws_pass(), or init_legacy_subpass() itself for
cascaded contexts.)
The solution is to redefine the ownership of SwsGraph to pass clearly from
the caller of add_legacy_sws_pass() to init_legacy_subpass(), which can then
deal with appropriately freeing the context conditional on whether or not
the
pass was already registered in the pass list.
Reported-by: ê¹ì민 <[email protected]>
Signed-off-by: Niklas Haas <[email protected]>
(cherry picked from commit 4ede75b5f48df5a487ec85da4ec4ca2e16046341)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libswscale/graph.c b/libswscale/graph.c
index 5bc524f1e3..9d46f8f27f 100644
--- a/libswscale/graph.c
+++ b/libswscale/graph.c
@@ -279,6 +279,7 @@ static void legacy_chr_pos(SwsGraph *graph, int *chr_pos,
int override, int *war
*chr_pos = override;
}
+/* Takes over ownership of `sws` */
static int init_legacy_subpass(SwsGraph *graph, SwsContext *sws,
SwsPass *input, SwsPass **output)
{
@@ -293,17 +294,19 @@ static int init_legacy_subpass(SwsGraph *graph,
SwsContext *sws,
if (c->cascaded_context[0]) {
const int num_cascaded = c->cascaded_context[2] ? 3 : 2;
for (int i = 0; i < num_cascaded; i++) {
- SwsContext *sub = c->cascaded_context[i];
const int is_last = i + 1 == num_cascaded;
+
+ /* Steal cascaded context, so we can manage its lifetime
independently */
+ SwsContext *sub = c->cascaded_context[i];
+ c->cascaded_context[i] = NULL;
+
ret = init_legacy_subpass(graph, sub, input, is_last ? output :
&input);
if (ret < 0)
- return ret;
- /* Steal cascaded context, so we can free the parent */
- c->cascaded_context[i] = NULL;
+ break;
}
sws_free_context(&sws);
- return 0;
+ return ret;
}
if (sws->dither == SWS_DITHER_ED && !c->convert_unscaled)
@@ -311,20 +314,26 @@ static int init_legacy_subpass(SwsGraph *graph,
SwsContext *sws,
if (c->src0Alpha && !c->dst0Alpha && isALPHA(sws->dst_format)) {
ret = pass_append(graph, AV_PIX_FMT_RGBA, src_w, src_h, &input, 1, c,
run_rgb0);
- if (ret < 0)
+ if (ret < 0) {
+ sws_free_context(&sws);
return ret;
+ }
}
if (c->srcXYZ && !(c->dstXYZ && unscaled)) {
ret = pass_append(graph, AV_PIX_FMT_RGB48, src_w, src_h, &input, 1, c,
run_xyz2rgb);
- if (ret < 0)
+ if (ret < 0) {
+ sws_free_context(&sws);
return ret;
+ }
}
pass = ff_sws_graph_add_pass(graph, sws->dst_format, dst_w, dst_h, input,
align, sws,
c->convert_unscaled ? run_legacy_unscaled :
run_legacy_swscale);
- if (!pass)
+ if (!pass) {
+ sws_free_context(&sws);
return AVERROR(ENOMEM);
+ }
pass->setup = setup_legacy_swscale;
pass->free = free_legacy_swscale;
@@ -444,13 +453,7 @@ static int add_legacy_sws_pass(SwsGraph *graph, SwsFormat
src, SwsFormat dst,
brightness, contrast, saturation);
}
- ret = init_legacy_subpass(graph, sws, input, output);
- if (ret < 0) {
- sws_free_context(&sws);
- return ret;
- }
-
- return 0;
+ return init_legacy_subpass(graph, sws, input, output);
}
/**************************
-----------------------------------------------------------------------
Summary of changes:
configure | 2 +-
doc/examples/vaapi_encode.c | 2 +-
libavcodec/cbs_apv_syntax_template.c | 2 +-
libavcodec/exr.c | 57 +++++++++++++++++-----
libavcodec/ffv1enc.c | 6 ++-
libavcodec/g723_1.h | 2 +-
libavcodec/g723_1enc.c | 2 +-
libavcodec/librsvgdec.c | 4 +-
libavcodec/mediacodecdec_common.c | 6 +++
libavcodec/mfenc.c | 3 ++
libavcodec/mjpegdec.c | 2 +
libavcodec/osq.c | 2 +-
libavcodec/rv60dec.c | 3 +-
libavcodec/utvideodec.c | 2 +-
libavcodec/vlc.c | 2 +-
libavfilter/vf_drawtext.c | 2 +-
libavformat/aviobuf.c | 2 +-
libavformat/dhav.c | 4 +-
libavformat/http.c | 2 +-
libavformat/rtmpproto.c | 28 ++++++++++-
libavformat/rtpdec_rfc4175.c | 28 ++++++++---
libavformat/rtpenc_h264_hevc.c | 3 ++
libavformat/sctp.c | 3 ++
libavformat/whip.c | 4 +-
libswscale/graph.c | 33 +++++++------
libswscale/output.c | 94 ++++++++++++++++++------------------
26 files changed, 198 insertions(+), 102 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
