This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch master in repository ffmpeg.
commit 5806e8b9f34f1b0663b3017ef9dd1aa5d08116d1 Author: Michael Niedermayer <[email protected]> AuthorDate: Sat May 9 00:00:00 2026 +0000 Commit: michaelni <[email protected]> CommitDate: Mon May 25 02:05:30 2026 +0000 avcodec/magicyuv: Expand the s->interlaced slice-height sanity check Fixes: poc_magicyuv.avi Fixes: out of array access Found-by: Ori Hollander of the JFrog Vulnerability Research team --- libavcodec/magicyuv.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index ea8a4007b6..aaff4df175 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -570,11 +570,11 @@ static int magy_decode_frame(AVCodecContext *avctx, AVFrame *p, return AVERROR_INVALIDDATA; } + if ((s->slice_height >> s->vshift[1]) <= s->interlaced) { + av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); + return AVERROR_INVALIDDATA; + } if (s->interlaced) { - if ((s->slice_height >> s->vshift[1]) < 2) { - av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); - return AVERROR_INVALIDDATA; - } if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) { av_log(avctx, AV_LOG_ERROR, "impossible height\n"); return AVERROR_INVALIDDATA; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
