PR #21574 opened by Jun Zhao (mypopydev) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574.patch
Reproduce: ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null - filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3]. For small height videos (h <= 4), this causes heap-buffer-overflow. Consolidate boundary checks before filter_intra. Fall back to filter_edge for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge calls for both YADIF_FIELD_END and normal paths. Test file: 160x4 gray16 JPEG https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15 fix #21570 Signed-off-by: Jun Zhao <[email protected]> >From 2fb2658515f7fb0d47ca4710f2ebd672934497c0 Mon Sep 17 00:00:00 2001 From: Jun Zhao <[email protected]> Date: Sun, 25 Jan 2026 10:31:48 +0800 Subject: [PATCH] lavf/bwdif: fix heap-buffer-overflow with small height videos Reproduce: ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null - filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3]. For small height videos (h <= 4), this causes heap-buffer-overflow. Consolidate boundary checks before filter_intra. Fall back to filter_edge for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge calls for both YADIF_FIELD_END and normal paths. Test file: 160x4 gray16 JPEG https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15 fix #21570 Signed-off-by: Jun Zhao <[email protected]> --- libavfilter/vf_bwdif.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index d49f3f66d6..4780b98508 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -76,19 +76,21 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) uint8_t *cur = &yadif->cur ->data[td->plane][y * linesize]; uint8_t *next = &yadif->next->data[td->plane][y * linesize]; uint8_t *dst = &td->frame->data[td->plane][y * td->frame->linesize[td->plane]]; - if (yadif->current_field == YADIF_FIELD_END) { - s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs, - y > (df - 1) ? -refs : refs, - (y + 3*df) < td->h ? 3 * refs : -refs, - y > (3*df - 1) ? -3 * refs : refs, - td->parity ^ td->tff, clip_max); - } else if ((y < 4) || ((y + 5) > td->h)) { + int is_edge = (y < 4) || ((y + 5) > td->h); + + if (is_edge) { s->dsp.filter_edge(dst, prev, cur, next, td->w, (y + df) < td->h ? refs : -refs, y > (df - 1) ? -refs : refs, refs << 1, -(refs << 1), td->parity ^ td->tff, clip_max, (y < 2) || ((y + 3) > td->h) ? 0 : 1); + } else if (yadif->current_field == YADIF_FIELD_END) { + s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs, + y > (df - 1) ? -refs : refs, + (y + 3*df) < td->h ? 3 * refs : -refs, + y > (3*df - 1) ? -3 * refs : refs, + td->parity ^ td->tff, clip_max); } else if (s->dsp.filter_line3 && y + 2 < slice_end && y + 6 < td->h) { s->dsp.filter_line3(dst, td->frame->linesize[td->plane], prev, cur, next, linesize, td->w, -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
