This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 64fd93e361cb97f0073b95d3cf01e98f8bc7e77f Author: Franciszek Kalinowski <[email protected]> AuthorDate: Tue May 19 09:29:45 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:40:55 2026 +0200 avfilter/af_join: fix wrong loop bound in buffer dedup (use-after-free) try_push_frame() decides whether an input buffer is already tracked by testing `j == i` (the channel index) instead of `j == nb_buffers`. Once an earlier channel shared a buffer, nb_buffers falls behind i and a genuinely new buffer is never referenced, so it is freed while the output frame still points at it. Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. (cherry picked from commit 461fb220538f13fb4f971af5d7321459a4c84754) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/af_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c index de13f8f2dc..0ca6447662 100644 --- a/libavfilter/af_join.c +++ b/libavfilter/af_join.c @@ -469,7 +469,7 @@ static int try_push_frame(AVFilterContext *ctx) for (j = 0; j < nb_buffers; j++) if (s->buffers[j]->buffer == buf->buffer) break; - if (j == i) + if (j == nb_buffers) s->buffers[nb_buffers++] = buf; } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
