This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new 0dac41d2e5 avfilter/boxblur: reject pixel formats deeper than 16 bits
0dac41d2e5 is described below

commit 0dac41d2e5e0f4251ed89eedb03a847d5d59ef67
Author:     Pavel Kohout <[email protected]>
AuthorDate: Tue Jun 30 21:52:47 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Thu Jul 2 03:16:42 2026 +0000

    avfilter/boxblur: reject pixel formats deeper than 16 bits
    
    Fixes: heap buffer overflow
    Fixes: CRufFb6TVikL
    Fixes: dee7440531 (vf_boxblur: Templatize blur{8,16})
    Found-by: Pavel Kohout (Aisle Research)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavfilter/vf_boxblur.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavfilter/vf_boxblur.c b/libavfilter/vf_boxblur.c
index 3cb42471a7..8d9649172a 100644
--- a/libavfilter/vf_boxblur.c
+++ b/libavfilter/vf_boxblur.c
@@ -25,6 +25,7 @@
  * Ported from MPlayer libmpcodecs/vf_boxblur.c.
  */
 
+#include "libavutil/avassert.h"
 #include "libavutil/common.h"
 #include "libavutil/mem.h"
 #include "libavutil/opt.h"
@@ -65,6 +66,7 @@ static int query_formats(const AVFilterContext *ctx,
     for (fmt = 0; av_pix_fmt_desc_get(fmt); fmt++) {
         const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt);
         if (!(desc->flags & (AV_PIX_FMT_FLAG_HWACCEL | 
AV_PIX_FMT_FLAG_BITSTREAM | AV_PIX_FMT_FLAG_PAL)) &&
+            desc->comp[0].depth <= 16 &&
             (desc->flags & AV_PIX_FMT_FLAG_PLANAR || desc->nb_components == 1) 
&&
             (!(desc->flags & AV_PIX_FMT_FLAG_BE) == !HAVE_BIGENDIAN || 
desc->comp[0].depth == 8) &&
             (ret = ff_add_format(&formats, fmt)) < 0)
@@ -163,7 +165,10 @@ static inline void blur(uint8_t *dst, int dst_step, const 
uint8_t *src, int src_
                         int len, int radius, int pixsize)
 {
     if (pixsize == 1) blur8 (dst, dst_step   , src, src_step   , len, radius);
-    else              blur16((uint16_t*)dst, dst_step>>1, (const 
uint16_t*)src, src_step>>1, len, radius);
+    else if (pixsize == 2)
+                      blur16((uint16_t*)dst, dst_step>>1, (const 
uint16_t*)src, src_step>>1, len, radius);
+    else
+        av_assert0(0);
 }
 
 static inline void blur_power(uint8_t *dst, int dst_step, const uint8_t *src, 
int src_step,

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to