This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/7.1 in repository ffmpeg.
commit a49bbf9701aca3e27ddbb4f095c20ad28da6bda5 Author: Franciszek Kalinowski <[email protected]> AuthorDate: Tue May 19 09:29:45 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Thu Jun 18 20:30:55 2026 +0200 avfilter/af_join: fix wrong loop bound in buffer dedup (use-after-free) try_push_frame() decides whether an input buffer is already tracked by testing `j == i` (the channel index) instead of `j == nb_buffers`. Once an earlier channel shared a buffer, nb_buffers falls behind i and a genuinely new buffer is never referenced, so it is freed while the output frame still points at it. Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. (cherry picked from commit 461fb220538f13fb4f971af5d7321459a4c84754) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/af_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c index 0ea53248b6..efc1d4d2a9 100644 --- a/libavfilter/af_join.c +++ b/libavfilter/af_join.c @@ -469,7 +469,7 @@ static int try_push_frame(AVFilterContext *ctx) for (j = 0; j < nb_buffers; j++) if (s->buffers[j]->buffer == buf->buffer) break; - if (j == i) + if (j == nb_buffers) s->buffers[nb_buffers++] = buf; } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
