This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit 2e3ce980012aebdcf4ee92dfab36287dcb3871f4 Author: James Almer <[email protected]> AuthorDate: Sat Jan 3 21:31:30 2026 -0300 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:54:55 2026 +0200 avfilter/vf_stack: add checks for the final canvas dimensions Prevents potential integer overflows when trying to stitch absurdly huge images together. Fixes #YWH-PGM40646-38. Signed-off-by: James Almer <[email protected]> (cherry picked from commit 4fad1367040e093c8a52f4f34054e4feb5203243) Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit dcae33471953891813815282a6eb8baa04e13c92) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/vf_stack.c | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/libavfilter/vf_stack.c b/libavfilter/vf_stack.c index 3d2b19a318..731c28428a 100644 --- a/libavfilter/vf_stack.c +++ b/libavfilter/vf_stack.c @@ -220,6 +220,8 @@ static int config_output(AVFilterLink *outlink) item->y[1] = item->y[2] = AV_CEIL_RSHIFT(height, s->desc->log2_chroma_h); item->y[0] = item->y[3] = height; + if (height > INT_MAX - ctx->inputs[i]->h) + return AVERROR(EINVAL); height += ctx->inputs[i]->h; } } @@ -245,6 +247,8 @@ static int config_output(AVFilterLink *outlink) return ret; } + if (width > INT_MAX - ctx->inputs[i]->w) + return AVERROR(EINVAL); width += ctx->inputs[i]->w; } } @@ -290,26 +294,41 @@ static int config_output(AVFilterLink *outlink) if (size == i || size < 0 || size >= s->nb_inputs) return AVERROR(EINVAL); - if (!j) + if (!j) { + if (inw > INT_MAX - ctx->inputs[size]->w) + return AVERROR(EINVAL); inw += ctx->inputs[size]->w; - else + } else { + if (inh > INT_MAX - ctx->inputs[size]->w) + return AVERROR(EINVAL); inh += ctx->inputs[size]->w; + } } else if (sscanf(arg3, "h%d", &size) == 1) { if (size == i || size < 0 || size >= s->nb_inputs) return AVERROR(EINVAL); - if (!j) + if (!j) { + if (inw > INT_MAX - ctx->inputs[size]->h) + return AVERROR(EINVAL); inw += ctx->inputs[size]->h; - else + } else { + if (inh > INT_MAX - ctx->inputs[size]->h) + return AVERROR(EINVAL); inh += ctx->inputs[size]->h; + } } else if (sscanf(arg3, "%d", &size) == 1) { if (size < 0) return AVERROR(EINVAL); - if (!j) + if (!j) { + if (inw > INT_MAX - size) + return AVERROR(EINVAL); inw += size; - else + } else { + if (inh > INT_MAX - size) + return AVERROR(EINVAL); inh += size; + } } else { return AVERROR(EINVAL); } @@ -323,6 +342,8 @@ static int config_output(AVFilterLink *outlink) item->y[1] = item->y[2] = AV_CEIL_RSHIFT(inh, s->desc->log2_chroma_h); item->y[0] = item->y[3] = inh; + if (inlink->w > INT_MAX - inw || inlink->h > INT_MAX - inh) + return AVERROR(EINVAL); width = FFMAX(width, inlink->w + inw); height = FFMAX(height, inlink->h + inh); } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
