This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 24b452cd9f6664dcee63f1d597ba052b34f8efd2 Author: Michael Niedermayer <[email protected]> AuthorDate: Sat May 9 00:00:00 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:59:02 2026 +0200 avcodec/magicyuv: Expand the s->interlaced slice-height sanity check Fixes: poc_magicyuv.avi Fixes: out of array access Found-by: Ori Hollander of the JFrog Vulnerability Research team (cherry picked from commit 5806e8b9f34f1b0663b3017ef9dd1aa5d08116d1) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/magicyuv.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index bc40032cac..2d5af052db 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -564,11 +564,11 @@ static int magy_decode_frame(AVCodecContext *avctx, AVFrame *p, return AVERROR_INVALIDDATA; } + if ((s->slice_height >> s->vshift[1]) <= s->interlaced) { + av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); + return AVERROR_INVALIDDATA; + } if (s->interlaced) { - if ((s->slice_height >> s->vshift[1]) < 2) { - av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); - return AVERROR_INVALIDDATA; - } if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) { av_log(avctx, AV_LOG_ERROR, "impossible height\n"); return AVERROR_INVALIDDATA; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
