This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 3c51be6c26b7cf40f3638b728d38ae91196ecdf7 Author: Michael Niedermayer <[email protected]> AuthorDate: Mon Jun 8 02:30:38 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon Jun 15 23:57:23 2026 +0200 avfilter/v360: reject out-of-range dimensions Fixes: integer overflow Found-by: Kery (Qi Kery <[email protected]>) Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit fd6b3fa42367521520e7ed8a0371f4aa7e5870e1) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/vf_v360.c | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_v360.c b/libavfilter/vf_v360.c index cbea2ee7e0..3d300d6353 100644 --- a/libavfilter/vf_v360.c +++ b/libavfilter/vf_v360.c @@ -4295,6 +4295,20 @@ static int v360_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) return 0; } +static int get_output_dimension(AVFilterContext *ctx, const char *name, + float val, int *dim) +{ + if (!isfinite(val) || val < 1.f || val > INT16_MAX) { + av_log(ctx, AV_LOG_ERROR, + "Output %s %g is outside the allowed range [1, %d].\n", + name, val, INT16_MAX); + return AVERROR(EINVAL); + } + + *dim = lrintf(val); + return 0; +} + static int config_output(AVFilterLink *outlink) { AVFilterContext *ctx = outlink->src; @@ -4465,6 +4479,15 @@ static int config_output(AVFilterLink *outlink) if (s->in_transpose) FFSWAP(int, s->in_width, s->in_height); + // The remap code stores input coordinates in int16_t + if (s->in_width < 1 || s->in_width > INT16_MAX || + s->in_height < 1 || s->in_height > INT16_MAX) { + av_log(ctx, AV_LOG_ERROR, + "Input dimensions %dx%d are outside the allowed range [1, %d].\n", + s->in_width, s->in_height, INT16_MAX); + return AVERROR(EINVAL); + } + switch (s->in) { case EQUIRECTANGULAR: s->in_transform = xyz_to_equirect; @@ -4782,11 +4805,17 @@ static int config_output(AVFilterLink *outlink) if (s->width > 0 && s->height <= 0 && s->h_fov > 0.f && s->v_fov > 0.f && s->out == FLAT && s->d_fov == 0.f) { w = s->width; - h = w / tanf(s->h_fov * M_PI / 360.f) * tanf(s->v_fov * M_PI / 360.f); + err = get_output_dimension(ctx, "height", + w / tanf(s->h_fov * M_PI / 360.f) * tanf(s->v_fov * M_PI / 360.f), &h); + if (err < 0) + return err; } else if (s->width <= 0 && s->height > 0 && s->h_fov > 0.f && s->v_fov > 0.f && s->out == FLAT && s->d_fov == 0.f) { h = s->height; - w = h / tanf(s->v_fov * M_PI / 360.f) * tanf(s->h_fov * M_PI / 360.f); + err = get_output_dimension(ctx, "width", + h / tanf(s->v_fov * M_PI / 360.f) * tanf(s->h_fov * M_PI / 360.f), &w); + if (err < 0) + return err; } else if (s->width > 0 && s->height > 0) { w = s->width; h = s->height; @@ -4801,6 +4830,13 @@ static int config_output(AVFilterLink *outlink) FFSWAP(int, w, h); } + if (w < 1 || w > INT16_MAX || h < 1 || h > INT16_MAX) { + av_log(ctx, AV_LOG_ERROR, + "Output dimensions %dx%d are outside the allowed range [1, %d].\n", + w, h, INT16_MAX); + return AVERROR(EINVAL); + } + s->width = w; s->height = h; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
