PR #21456 opened by Timo Rothenpieler (BtbN) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21456 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21456.patch
There was so far zero bounds checking here. If the frame that's being searched in is smaller than the object being searched for or shifted around too far using the offset, the function would happily read beyond the frame's bounds. Rather than checking at filter init time, I opted to add the check right here, since frame sizes might change at runtime for various reasons, so just checking right here to never over/under read seems better to me. Fixes #YWH-PGM40646-15 >From 25402bb760f5bee149d0eb0a9a66ca601f3f3702 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler <[email protected]> Date: Tue, 13 Jan 2026 23:57:39 +0100 Subject: [PATCH] avfilter/vf_find_rect: fix missing bounds checking in frame compare() function Fixes #YWH-PGM40646-15 --- libavfilter/vf_find_rect.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c index b0be1a6f11..8c983dbf12 100644 --- a/libavfilter/vf_find_rect.c +++ b/libavfilter/vf_find_rect.c @@ -126,8 +126,14 @@ static float compare(const AVFrame *haystack, const AVFrame *obj, int offx, int const uint8_t *hdat = haystack->data[0] + offx + offy * haystack->linesize[0]; int64_t o_sigma, h_sigma; - for(y = 0; y < obj->height; y++) { - for(x = 0; x < obj->width; x++) { + int64_t comp_w = FFMIN((int64_t)haystack->width - offx, obj->width); + int64_t comp_h = FFMIN((int64_t)haystack->height - offy, obj->height); + + if (offx >= haystack->width || offy >= haystack->height || comp_w <= 0 || comp_h <= 0) + return 1.0; + + for(y = 0; y < comp_h; y++) { + for(x = 0; x < comp_w; x++) { int o_v = odat[x]; int h_v = hdat[x]; o_sum_v += o_v; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
