This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit bf1f0c631d43a92f3196358b01175d66a9aaa785 Author: Zhao Zhili <[email protected]> AuthorDate: Thu May 7 12:46:10 2026 +0800 Commit: Michael Niedermayer <[email protected]> CommitDate: Fri Jun 12 23:46:00 2026 +0200 avcodec/hevc: limit missing-ref fill to coded planes generate_missing_ref walked frame->f->data[] until a NULL slot, which on alpha-video frames extended to data[3] and read sps->hshift[3]/vshift[3] out of bounds. The alpha plane is produced by the alpha layer via replace_alpha_plane; the base decoder path never reads or writes it. Bound the fill loop by the SPS coded plane count. This both removes the out-of-bounds shift access and avoids an unnecessary full-frame memset of the alpha plane. Fixes: out of array read Fixes: 500770604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6157374833623040 (cherry picked from commit 3b939ced79655ed084e6bebc493fa8b11e9b9d8b) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit afe5c07ad7bf973bfa0e490fbc8e50c2432d819d) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/hevc_refs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 4f6d985ae6..c994e0bc63 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -393,12 +393,13 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) return NULL; if (!s->avctx->hwaccel) { + int nb_planes = s->ps.sps->chroma_format_idc ? 3 : 1; if (!s->ps.sps->pixel_shift) { - for (i = 0; frame->frame->buf[i]; i++) + for (i = 0; i < nb_planes; i++) memset(frame->frame->buf[i]->data, 1 << (s->ps.sps->bit_depth - 1), frame->frame->buf[i]->size); } else { - for (i = 0; frame->frame->data[i]; i++) + for (i = 0; i < nb_planes; i++) for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) { uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i]; AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1)); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
