This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/6.1 in repository ffmpeg.
commit d30e95b93b6b43154fee6be63c49bcc388b965e5 Author: Zhao Zhili <[email protected]> AuthorDate: Thu May 7 12:46:10 2026 +0800 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 19:38:50 2026 +0200 avcodec/hevc: limit missing-ref fill to coded planes generate_missing_ref walked frame->f->data[] until a NULL slot, which on alpha-video frames extended to data[3] and read sps->hshift[3]/vshift[3] out of bounds. The alpha plane is produced by the alpha layer via replace_alpha_plane; the base decoder path never reads or writes it. Bound the fill loop by the SPS coded plane count. This both removes the out-of-bounds shift access and avoids an unnecessary full-frame memset of the alpha plane. Fixes: out of array read Fixes: 500770604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6157374833623040 (cherry picked from commit 3b939ced79655ed084e6bebc493fa8b11e9b9d8b) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit afe5c07ad7bf973bfa0e490fbc8e50c2432d819d) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/hevc_refs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 10fdeaf7ff..3280007270 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -427,12 +427,14 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) return NULL; if (!s->avctx->hwaccel) { + int nb_planes = s->ps.sps->chroma_format_idc ? 3 : 1; if (!s->ps.sps->pixel_shift) { - for (i = 0; frame->frame->data[i]; i++) + for (i = 0; i < nb_planes; i++) + memset(frame->frame->data[i], 1 << (s->ps.sps->bit_depth - 1), frame->frame->linesize[i] * AV_CEIL_RSHIFT(s->ps.sps->height, s->ps.sps->vshift[i])); } else { - for (i = 0; frame->frame->data[i]; i++) + for (i = 0; i < nb_planes; i++) for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) { uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i]; AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1)); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
