This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 4fad136704 avfilter/vf_stack: add checks for the final canvas
dimensions
4fad136704 is described below
commit 4fad1367040e093c8a52f4f34054e4feb5203243
Author: James Almer <[email protected]>
AuthorDate: Sat Jan 3 21:31:30 2026 -0300
Commit: James Almer <[email protected]>
CommitDate: Sat Jan 3 21:31:30 2026 -0300
avfilter/vf_stack: add checks for the final canvas dimensions
Prevents potential integer overflows when trying to stitch absurdly huge
images together.
Fixes #YWH-PGM40646-38.
Signed-off-by: James Almer <[email protected]>
---
libavfilter/vf_stack.c | 38 ++++++++++++++++++++++++++++++++------
1 file changed, 32 insertions(+), 6 deletions(-)
diff --git a/libavfilter/vf_stack.c b/libavfilter/vf_stack.c
index a36e1bab64..6e9ac60a56 100644
--- a/libavfilter/vf_stack.c
+++ b/libavfilter/vf_stack.c
@@ -234,6 +234,8 @@ static int config_output(AVFilterLink *outlink)
item->y[1] = item->y[2] = AV_CEIL_RSHIFT(height,
s->desc->log2_chroma_h);
item->y[0] = item->y[3] = height;
+ if (height > INT_MAX - ctx->inputs[i]->h)
+ return AVERROR(EINVAL);
height += ctx->inputs[i]->h;
}
}
@@ -259,6 +261,8 @@ static int config_output(AVFilterLink *outlink)
return ret;
}
+ if (width > INT_MAX - ctx->inputs[i]->w)
+ return AVERROR(EINVAL);
width += ctx->inputs[i]->w;
}
}
@@ -294,8 +298,13 @@ static int config_output(AVFilterLink *outlink)
item->y[1] = item->y[2] = AV_CEIL_RSHIFT(inh,
s->desc->log2_chroma_h);
item->y[0] = item->y[3] = inh;
+
+ if (inw > INT_MAX - ctx->inputs[k]->w)
+ return AVERROR(EINVAL);
inw += ctx->inputs[k]->w;
}
+ if (height > INT_MAX - row_height)
+ return AVERROR(EINVAL);
height += row_height;
if (!i)
width = inw;
@@ -351,26 +360,41 @@ static int config_output(AVFilterLink *outlink)
if (size == i || size < 0 || size >= s->nb_inputs)
return AVERROR(EINVAL);
- if (!j)
+ if (!j) {
+ if (inw > INT_MAX - ctx->inputs[size]->w)
+ return AVERROR(EINVAL);
inw += ctx->inputs[size]->w;
- else
+ } else {
+ if (inh > INT_MAX - ctx->inputs[size]->w)
+ return AVERROR(EINVAL);
inh += ctx->inputs[size]->w;
+ }
} else if (sscanf(arg3, "h%d", &size) == 1) {
if (size == i || size < 0 || size >= s->nb_inputs)
return AVERROR(EINVAL);
- if (!j)
+ if (!j) {
+ if (inw > INT_MAX - ctx->inputs[size]->h)
+ return AVERROR(EINVAL);
inw += ctx->inputs[size]->h;
- else
+ } else {
+ if (inh > INT_MAX - ctx->inputs[size]->h)
+ return AVERROR(EINVAL);
inh += ctx->inputs[size]->h;
+ }
} else if (sscanf(arg3, "%d", &size) == 1) {
if (size < 0)
return AVERROR(EINVAL);
- if (!j)
+ if (!j) {
+ if (inw > INT_MAX - size)
+ return AVERROR(EINVAL);
inw += size;
- else
+ } else {
+ if (inh > INT_MAX - size)
+ return AVERROR(EINVAL);
inh += size;
+ }
} else {
return AVERROR(EINVAL);
}
@@ -384,6 +408,8 @@ static int config_output(AVFilterLink *outlink)
item->y[1] = item->y[2] = AV_CEIL_RSHIFT(inh,
s->desc->log2_chroma_h);
item->y[0] = item->y[3] = inh;
+ if (inlink->w > INT_MAX - inw || inlink->h > INT_MAX - inh)
+ return AVERROR(EINVAL);
width = FFMAX(width, inlink->w + inw);
height = FFMAX(height, inlink->h + inh);
}
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
