This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/5.1 in repository ffmpeg.
commit 3575d794b4499ec3d780b78050e0de6b046013ff Author: Michael Niedermayer <[email protected]> AuthorDate: Sun Jun 21 01:06:03 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 21 02:56:27 2026 +0200 avcodec/h264_slice: guard color_frame() against chroma-width underflow Backported to 5.1's ff_color_frame() in utils.c: for chroma width 1, bytes-2 underflowed to a huge size in av_memcpy_backptr() -> heap out-of-bounds write. Guard the writes and use 2*(bytes-1). (cherry picked from commit b47f49586c... adapted to 5.1 ff_color_frame) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 29b859281e..05c7f7b927 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -433,8 +433,10 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int bytes = is_chroma ? AV_CEIL_RSHIFT(frame->width, desc->log2_chroma_w) : frame->width; int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; if (desc->comp[0].depth >= 9) { - ((uint16_t*)dst)[0] = c[p]; - av_memcpy_backptr(dst + 2, 2, bytes - 2); + if (bytes >= 1) + ((uint16_t*)dst)[0] = c[p]; + if (bytes >= 2) + av_memcpy_backptr(dst + 2, 2, 2 * (bytes - 1)); dst += frame->linesize[p]; for (y = 1; y < height; y++) { memcpy(dst, frame->data[p], 2*bytes); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
