This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit e39140d9d30b5589fbbb61b6655a9767143fe397 Author: Michael Niedermayer <[email protected]> AuthorDate: Sun Jun 21 17:53:38 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 21 17:59:33 2026 +0200 avcodec/h264_slice: guard color_frame() against chroma-width underflow Backported to 4.4's ff_color_frame() in utils.c: for chroma width 1, bytes-2 underflowed to a huge size in av_memcpy_backptr() -> heap out-of-bounds write. Guard the writes and use 2*(bytes-1). (cherry picked from commit b47f49586c... adapted to 4.4 ff_color_frame) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b948ba0871..f206256ec3 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -428,8 +428,10 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int bytes = is_chroma ? AV_CEIL_RSHIFT(frame->width, desc->log2_chroma_w) : frame->width; int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; if (desc->comp[0].depth >= 9) { - ((uint16_t*)dst)[0] = c[p]; - av_memcpy_backptr(dst + 2, 2, bytes - 2); + if (bytes >= 1) + ((uint16_t*)dst)[0] = c[p]; + if (bytes >= 2) + av_memcpy_backptr(dst + 2, 2, 2 * (bytes - 1)); dst += frame->linesize[p]; for (y = 1; y < height; y++) { memcpy(dst, frame->data[p], 2*bytes); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
