Jun Zhao via ffmpeg-devel <[email protected]> schrieb am So., 25. Jan. 2026, 03:59:
> PR #21574 opened by Jun Zhao (mypopydev) > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574 > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574.patch > > Reproduce: > ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null - > > filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3]. > For small height videos (h <= 4), this causes heap-buffer-overflow. > Consolidate boundary checks before filter_intra. Fall back to filter_edge > for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge > calls for both YADIF_FIELD_END and normal paths. > > Test file: 160x4 gray16 JPEG > https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15 > > fix #21570 > > Signed-off-by: Jun Zhao <[email protected]> > > > >From 2fb2658515f7fb0d47ca4710f2ebd672934497c0 Mon Sep 17 00:00:00 2001 > From: Jun Zhao <[email protected]> > Date: Sun, 25 Jan 2026 10:31:48 +0800 > Subject: [PATCH] lavf/bwdif: fix heap-buffer-overflow with small height > videos > > Reproduce: > ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null - > > filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3]. > For small height videos (h <= 4), this causes heap-buffer-overflow. > Consolidate boundary checks before filter_intra. Fall back to filter_edge > for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge > calls for both YADIF_FIELD_END and normal paths. > > Test file: 160x4 gray16 JPEG > https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15 > > fix #21570 > > Signed-off-by: Jun Zhao <[email protected]> > --- > libavfilter/vf_bwdif.c | 16 +++++++++------- > 1 file changed, 9 insertions(+), 7 deletions(-) > > diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c > index d49f3f66d6..4780b98508 100644 > --- a/libavfilter/vf_bwdif.c > +++ b/libavfilter/vf_bwdif.c > @@ -76,19 +76,21 @@ static int filter_slice(AVFilterContext *ctx, void > *arg, int jobnr, int nb_jobs) > uint8_t *cur = &yadif->cur ->data[td->plane][y * linesize]; > uint8_t *next = &yadif->next->data[td->plane][y * linesize]; > uint8_t *dst = &td->frame->data[td->plane][y * > td->frame->linesize[td->plane]]; > - if (yadif->current_field == YADIF_FIELD_END) { > - s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? > refs : -refs, > - y > (df - 1) ? -refs : refs, > - (y + 3*df) < td->h ? 3 * refs : -refs, > - y > (3*df - 1) ? -3 * refs : refs, > - td->parity ^ td->tff, clip_max); > - } else if ((y < 4) || ((y + 5) > td->h)) { > + int is_edge = (y < 4) || ((y + 5) > td->h); > + > + if (is_edge) { > s->dsp.filter_edge(dst, prev, cur, next, td->w, > (y + df) < td->h ? refs : -refs, > y > (df - 1) ? -refs : refs, > refs << 1, -(refs << 1), > td->parity ^ td->tff, clip_max, > (y < 2) || ((y + 3) > td->h) ? 0 : 1); > + } else if (yadif->current_field == YADIF_FIELD_END) { > + s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? > refs : -refs, > + y > (df - 1) ? -refs : refs, > + (y + 3*df) < td->h ? 3 * refs : -refs, > + y > (3*df - 1) ? -3 * refs : refs, > + td->parity ^ td->tff, clip_max); > } else if (s->dsp.filter_line3 && y + 2 < slice_end && y + 6 > < td->h) { > s->dsp.filter_line3(dst, td->frame->linesize[td->plane], > prev, cur, next, linesize, td->w, > -- > 2.52.0 > > > LGTM. Thanks, Thomas _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
