This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit 9bca18ebcd818b9d26f1ed298d18ffe0890f4dd6 Author: Jun Zhao <[email protected]> AuthorDate: Sun Jan 25 10:31:48 2026 +0800 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 21 17:59:33 2026 +0200 lavfi/bwdif: fix heap-buffer-overflow with small height videos Reproduce: ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null - filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3]. For small height videos (h <= 4), this causes heap-buffer-overflow. Add boundary check for filter_intra when YADIF_FIELD_END is set. The boundary condition (y < 3) or (y + 3 >= td->h) precisely matches filter_intra's 3-line context requirement. Test file: 160x4 gray16 JPEG https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15 fix #21570 Reviewed-by: Thomas Mundt <[email protected]> Signed-off-by: Jun Zhao <[email protected]> (cherry picked from commit 795bccdaf57772b1803914dee2f32d52776518e2) Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit fdfe4d2cfb91bf4f81b3058e1f4b54a2afe8a622) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/vf_bwdif.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index e4b4ec79b0..2ff88dbc4f 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -233,11 +233,20 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) uint8_t *next = &yadif->next->data[td->plane][y * linesize]; uint8_t *dst = &td->frame->data[td->plane][y * td->frame->linesize[td->plane]]; if (yadif->current_field == YADIF_FIELD_END) { - s->filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs, - y > (df - 1) ? -refs : refs, - (y + 3*df) < td->h ? 3 * refs : -refs, - y > (3*df - 1) ? -3 * refs : refs, - td->parity ^ td->tff, clip_max); + if ((y < 3) || ((y + 3) >= td->h)) { + s->filter_edge(dst, prev, cur, next, td->w, + (y + df) < td->h ? refs : -refs, + y > (df - 1) ? -refs : refs, + refs << 1, -(refs << 1), + td->parity ^ td->tff, clip_max, + (y < 2) || ((y + 3) > td->h) ? 0 : 1); + } else { + s->filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs, + y > (df - 1) ? -refs : refs, + (y + 3*df) < td->h ? 3 * refs : -refs, + y > (3*df - 1) ? -3 * refs : refs, + td->parity ^ td->tff, clip_max); + } } else if ((y < 4) || ((y + 5) > td->h)) { s->filter_edge(dst, prev, cur, next, td->w, (y + df) < td->h ? refs : -refs, _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
