This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit 8b5894e0ebd51fc2a7ff8affa6a4e4e8a540847c Author: Michael Niedermayer <[email protected]> AuthorDate: Fri Jan 23 00:06:23 2026 +0100 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:00 2026 +0200 avcodec/vp9: Reallocate on resolution change which does not change tile_cols Fixes: out of array access on resolution change with slices threads Fixes: VULN-10/poc.ivf Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 38230db7b908af34315cffe848a83989dbe1678e) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/vp9.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 43b11ebede..ce539d1b70 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -198,10 +198,12 @@ static int update_size(AVCodecContext *avctx, int w, int h) uint8_t *p; int bytesperpixel = s->bytesperpixel, ret, cols, rows; int lflvl_len, i; + int changed = 0; av_assert0(w > 0 && h > 0); if (!(s->pix_fmt == s->gf_fmt && w == s->w && h == s->h)) { + changed = 1; if ((ret = ff_set_dimensions(avctx, w, h)) < 0) return ret; @@ -255,7 +257,7 @@ static int update_size(AVCodecContext *avctx, int w, int h) rows = (h + 7) >> 3; if (s->intra_pred_data[0] && cols == s->cols && rows == s->rows && s->pix_fmt == s->last_fmt) - return 0; + return changed; s->last_fmt = s->pix_fmt; s->sb_cols = (w + 63) >> 6; @@ -300,9 +302,10 @@ static int update_size(AVCodecContext *avctx, int w, int h) ff_vp9dsp_init(&s->dsp, s->s.h.bpp, avctx->flags & AV_CODEC_FLAG_BITEXACT); ff_videodsp_init(&s->vdsp, s->s.h.bpp); s->last_bpp = s->s.h.bpp; + changed = 1; } - return 0; + return changed; } static int update_block_buffers(AVCodecContext *avctx) @@ -509,6 +512,7 @@ static int decode_frame_header(AVCodecContext *avctx, int c, i, j, k, l, m, n, w, h, max, size2, ret, sharp; int last_invisible; const uint8_t *data2; + int changed; /* general header */ if ((ret = init_get_bits8(&s->gb, data, size)) < 0) { @@ -773,10 +777,10 @@ static int decode_frame_header(AVCodecContext *avctx, } /* tiling info */ - if ((ret = update_size(avctx, w, h)) < 0) { + if ((changed = update_size(avctx, w, h)) < 0) { av_log(avctx, AV_LOG_ERROR, "Failed to initialize decoder for %dx%d @ %d\n", w, h, s->pix_fmt); - return ret; + return changed; } for (s->s.h.tiling.log2_tile_cols = 0; s->sb_cols > (64 << s->s.h.tiling.log2_tile_cols); @@ -791,7 +795,7 @@ static int decode_frame_header(AVCodecContext *avctx, } s->s.h.tiling.log2_tile_rows = decode012(&s->gb); s->s.h.tiling.tile_rows = 1 << s->s.h.tiling.log2_tile_rows; - if (s->s.h.tiling.tile_cols != (1 << s->s.h.tiling.log2_tile_cols)) { + if (s->s.h.tiling.tile_cols != (1 << s->s.h.tiling.log2_tile_cols) || changed) { int n_range_coders; VP56RangeCoder *rc; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
