This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 5bc4a9898c806c1d532ac11712a26537acb96734 Author: Jun Zhao <[email protected]> AuthorDate: Sun Jan 25 10:31:48 2026 +0800 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Mar 15 00:49:57 2026 +0100 lavfi/bwdif: fix heap-buffer-overflow with small height videos Reproduce: ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null - filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3]. For small height videos (h <= 4), this causes heap-buffer-overflow. Add boundary check for filter_intra when YADIF_FIELD_END is set. The boundary condition (y < 3) or (y + 3 >= td->h) precisely matches filter_intra's 3-line context requirement. Test file: 160x4 gray16 JPEG https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15 fix #21570 Reviewed-by: Thomas Mundt <[email protected]> Signed-off-by: Jun Zhao <[email protected]> (cherry picked from commit 795bccdaf57772b1803914dee2f32d52776518e2) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/vf_bwdif.c | 19 ++++++++++++++----- tests/ref/fate/filter-bwdif-mode0 | 2 +- tests/ref/fate/filter-bwdif-mode1 | 2 +- tests/ref/fate/filter-bwdif10 | 2 +- 4 files changed, 17 insertions(+), 8 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index d49f3f66d6..67efc3a8c3 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -77,11 +77,20 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) uint8_t *next = &yadif->next->data[td->plane][y * linesize]; uint8_t *dst = &td->frame->data[td->plane][y * td->frame->linesize[td->plane]]; if (yadif->current_field == YADIF_FIELD_END) { - s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs, - y > (df - 1) ? -refs : refs, - (y + 3*df) < td->h ? 3 * refs : -refs, - y > (3*df - 1) ? -3 * refs : refs, - td->parity ^ td->tff, clip_max); + if ((y < 3) || ((y + 3) >= td->h)) { + s->dsp.filter_edge(dst, prev, cur, next, td->w, + (y + df) < td->h ? refs : -refs, + y > (df - 1) ? -refs : refs, + refs << 1, -(refs << 1), + td->parity ^ td->tff, clip_max, + (y < 2) || ((y + 3) > td->h) ? 0 : 1); + } else { + s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs, + y > (df - 1) ? -refs : refs, + (y + 3*df) < td->h ? 3 * refs : -refs, + y > (3*df - 1) ? -3 * refs : refs, + td->parity ^ td->tff, clip_max); + } } else if ((y < 4) || ((y + 5) > td->h)) { s->dsp.filter_edge(dst, prev, cur, next, td->w, (y + df) < td->h ? refs : -refs, diff --git a/tests/ref/fate/filter-bwdif-mode0 b/tests/ref/fate/filter-bwdif-mode0 index 23dcaee900..91b47dbe70 100644 --- a/tests/ref/fate/filter-bwdif-mode0 +++ b/tests/ref/fate/filter-bwdif-mode0 @@ -3,7 +3,7 @@ #codec_id 0: rawvideo #dimensions 0: 720x576 #sar 0: 16/15 -0, 9, 9, 1, 622080, 0xd435648a +0, 9, 9, 1, 622080, 0x3f25bfc2 0, 10, 10, 1, 622080, 0x62085455 0, 11, 11, 1, 622080, 0x60f943a0 0, 12, 12, 1, 622080, 0x5396f14a diff --git a/tests/ref/fate/filter-bwdif-mode1 b/tests/ref/fate/filter-bwdif-mode1 index e8db88c932..1e604646e7 100644 --- a/tests/ref/fate/filter-bwdif-mode1 +++ b/tests/ref/fate/filter-bwdif-mode1 @@ -3,7 +3,7 @@ #codec_id 0: rawvideo #dimensions 0: 720x576 #sar 0: 16/15 -0, 18, 18, 1, 622080, 0xd435648a +0, 18, 18, 1, 622080, 0x3f25bfc2 0, 19, 19, 1, 622080, 0xef4617cc 0, 20, 20, 1, 622080, 0x62085455 0, 21, 21, 1, 622080, 0x5b5ae735 diff --git a/tests/ref/fate/filter-bwdif10 b/tests/ref/fate/filter-bwdif10 index 85ce543880..d97acea991 100644 --- a/tests/ref/fate/filter-bwdif10 +++ b/tests/ref/fate/filter-bwdif10 @@ -3,7 +3,7 @@ #codec_id 0: rawvideo #dimensions 0: 720x576 #sar 0: 16/15 -0, 9, 9, 1, 1244160, 0x57c21e2b +0, 9, 9, 1, 1244160, 0x4f0e6e1c 0, 10, 10, 1, 1244160, 0x57152296 0, 11, 11, 1, 1244160, 0x0074598b 0, 12, 12, 1, 1244160, 0x44537bb8 _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
