PR #21577 opened by Zhao Zhili (quink) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21577 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21577.patch
AVOption with AV_OPT_TYPE_INT assumes the field is int (4 bytes), but enum size is implementation-defined and may be smaller. This can cause memory corruption when AVOption writes 4 bytes to a field that is only 1-2 bytes, potentially overwriting adjacent struct members. Other known but unfixed cases are struct members that are exposed both as AVOption and as part of the public API. >From 8cad678fca925dc1d2a2aa0cc1fc6ca3761756fd Mon Sep 17 00:00:00 2001 From: Zhao Zhili <[email protected]> Date: Sun, 25 Jan 2026 22:07:44 +0800 Subject: [PATCH 1/3] avcodec: use int instead of enum for AVOption fields AVOption with AV_OPT_TYPE_INT assumes the field is int (4 bytes), but enum size is implementation-defined and may be smaller. This can cause memory corruption when AVOption writes 4 bytes to a field that is only 1-2 bytes, potentially overwriting adjacent struct members. Affected structures: AMFEncoderContext: align, aq_mode FilterUnitsContext: discard HapContext: opt_tex_fmt HYuvEncContext: predictor Signed-off-by: Zhao Zhili <[email protected]> --- libavcodec/amfenc.h | 6 ++++-- libavcodec/bsf/filter_units.c | 3 ++- libavcodec/hap.h | 3 ++- libavcodec/huffyuvenc.c | 3 ++- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/amfenc.h b/libavcodec/amfenc.h index 8f5eb5a9ef..ff5ce0ba76 100644 --- a/libavcodec/amfenc.h +++ b/libavcodec/amfenc.h @@ -115,8 +115,10 @@ typedef struct AMFEncoderContext { // AV1 - specific options - enum AMF_VIDEO_ENCODER_AV1_ALIGNMENT_MODE_ENUM align; - enum AMF_VIDEO_ENCODER_AV1_AQ_MODE_ENUM aq_mode; + /* enum AMF_VIDEO_ENCODER_AV1_ALIGNMENT_MODE_ENUM, use int for AVOption */ + int align; + /* enum AMF_VIDEO_ENCODER_AV1_AQ_MODE_ENUM */ + int aq_mode; // Preanalysis - specific options diff --git a/libavcodec/bsf/filter_units.c b/libavcodec/bsf/filter_units.c index 336331733f..696a1f37c4 100644 --- a/libavcodec/bsf/filter_units.c +++ b/libavcodec/bsf/filter_units.c @@ -35,7 +35,8 @@ typedef struct FilterUnitsContext { const char *pass_types; const char *remove_types; - enum AVDiscard discard; + /* enum AVDiscard, use int for AVOption */ + int discard; int discard_flags; enum { diff --git a/libavcodec/hap.h b/libavcodec/hap.h index 1de6d45428..b07f8a4b19 100644 --- a/libavcodec/hap.h +++ b/libavcodec/hap.h @@ -62,7 +62,8 @@ typedef struct HapContext { GetByteContext gbc; - enum HapTextureFormat opt_tex_fmt; /* Texture type (encoder only) */ + /* enum HapTextureFormat, use int for AVOption */ + int opt_tex_fmt; /* Texture type (encoder only) */ int opt_chunk_count; /* User-requested chunk count (encoder only) */ int opt_compressor; /* User-requested compressor (encoder only) */ diff --git a/libavcodec/huffyuvenc.c b/libavcodec/huffyuvenc.c index b213d4dc95..0f6b18f0f6 100644 --- a/libavcodec/huffyuvenc.c +++ b/libavcodec/huffyuvenc.c @@ -48,7 +48,8 @@ typedef struct HYuvEncContext { AVClass *class; AVCodecContext *avctx; PutBitContext pb; - Predictor predictor; + /* Predictor, use int for AVOption */ + int predictor; int interlaced; int decorrelate; int bitstream_bpp; -- 2.52.0 >From 11d07626485d7246bfea70fb2428a0abc013e7bf Mon Sep 17 00:00:00 2001 From: Zhao Zhili <[email protected]> Date: Sun, 25 Jan 2026 22:14:05 +0800 Subject: [PATCH 2/3] avformat: use int instead of enum for AVOption fields Signed-off-by: Zhao Zhili <[email protected]> --- libavformat/chromaprint.c | 3 ++- libavformat/libsrt.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/chromaprint.c b/libavformat/chromaprint.c index eae233a651..d55e6e0845 100644 --- a/libavformat/chromaprint.c +++ b/libavformat/chromaprint.c @@ -41,7 +41,8 @@ typedef struct ChromaprintMuxContext { const AVClass *class; int silence_threshold; int algorithm; - FingerprintFormat fp_format; + /* FingerprintFormat, use int for AVOption */ + int fp_format; #if CPR_VERSION_INT >= AV_VERSION_INT(1, 4, 0) ChromaprintContext *ctx; #else diff --git a/libavformat/libsrt.c b/libavformat/libsrt.c index ba04d9f782..12a7ad6a52 100644 --- a/libavformat/libsrt.c +++ b/libavformat/libsrt.c @@ -82,7 +82,8 @@ typedef struct SRTContext { int payload_size; int64_t rcvlatency; int64_t peerlatency; - enum SRTMode mode; + /* enum SRTMode, use int for AVOption */ + int mode; int sndbuf; int rcvbuf; int lossmaxttl; -- 2.52.0 >From a44e0c586ce5d2466aa7c5a449314383c9a50e2b Mon Sep 17 00:00:00 2001 From: Zhao Zhili <[email protected]> Date: Sun, 25 Jan 2026 22:30:58 +0800 Subject: [PATCH 3/3] avfilter: use int instead of enum for AVOption fields Signed-off-by: Zhao Zhili <[email protected]> --- libavfilter/af_loudnorm.c | 3 ++- libavfilter/vf_blend.c | 3 ++- libavfilter/vf_blend_vulkan.c | 3 ++- libavfilter/vf_colorspace.c | 9 ++++++--- libavfilter/vf_colorspace_cuda.c | 3 ++- libavfilter/vf_displace.c | 3 ++- libavfilter/vf_framepack.c | 3 ++- libavfilter/vf_libplacebo.c | 3 ++- libavfilter/vf_minterpolate.c | 3 ++- libavfilter/vf_tiltandshift.c | 4 ++-- libavfilter/vf_tonemap.c | 3 ++- libavfilter/vf_tonemap_opencl.c | 3 ++- libavfilter/vsrc_perlin.c | 3 ++- libavfilter/vsrc_testsrc_vulkan.c | 3 ++- 14 files changed, 32 insertions(+), 17 deletions(-) diff --git a/libavfilter/af_loudnorm.c b/libavfilter/af_loudnorm.c index 2636f2245e..4432ffdad9 100644 --- a/libavfilter/af_loudnorm.c +++ b/libavfilter/af_loudnorm.c @@ -63,7 +63,8 @@ typedef struct LoudNormContext { double offset; int linear; int dual_mono; - enum PrintFormat print_format; + /* enum PrintFormat */ + int print_format; double *buf; int buf_size; diff --git a/libavfilter/vf_blend.c b/libavfilter/vf_blend.c index 149d64399c..07656f05b2 100644 --- a/libavfilter/vf_blend.c +++ b/libavfilter/vf_blend.c @@ -40,7 +40,8 @@ typedef struct BlendContext { int hsub, vsub; ///< chroma subsampling values int nb_planes; char *all_expr; - enum BlendMode all_mode; + /* enum BlendMode */ + int all_mode; double all_opacity; int depth; diff --git a/libavfilter/vf_blend_vulkan.c b/libavfilter/vf_blend_vulkan.c index 57cf3c696b..35b6dd2827 100644 --- a/libavfilter/vf_blend_vulkan.c +++ b/libavfilter/vf_blend_vulkan.c @@ -52,7 +52,8 @@ typedef struct BlendVulkanContext { FilterParamsVulkan params[4]; double all_opacity; - enum BlendMode all_mode; + /* enum BlendMode */ + int all_mode; } BlendVulkanContext; #define DEFINE_BLEND_MODE(MODE, EXPR) \ diff --git a/libavfilter/vf_colorspace.c b/libavfilter/vf_colorspace.c index de9a1a42e4..c5ffcda19f 100644 --- a/libavfilter/vf_colorspace.c +++ b/libavfilter/vf_colorspace.c @@ -127,9 +127,12 @@ typedef struct ColorSpaceContext { enum AVColorPrimaries in_prm, out_prm, user_prm, user_iprm; enum AVPixelFormat in_format, user_format; int fast_mode; - enum DitherMode dither; - enum WhitepointAdaptation wp_adapt; - enum ClipGamutMode clip_gamut; + /* enum DitherMode */ + int dither; + /* enum WhitepointAdaptation */ + int wp_adapt; + /* enum ClipGamutMode */ + int clip_gamut; int16_t *rgb[3]; ptrdiff_t rgb_stride; diff --git a/libavfilter/vf_colorspace_cuda.c b/libavfilter/vf_colorspace_cuda.c index 54d6228cd1..c38f277a5f 100644 --- a/libavfilter/vf_colorspace_cuda.c +++ b/libavfilter/vf_colorspace_cuda.c @@ -61,7 +61,8 @@ typedef struct CUDAColorspaceContext { CUfunction cu_convert[AVCOL_RANGE_NB]; enum AVPixelFormat pix_fmt; - enum AVColorRange range; + /* enum AVColorRange */ + int range; int num_planes; } CUDAColorspaceContext; diff --git a/libavfilter/vf_displace.c b/libavfilter/vf_displace.c index 055488e6c9..3a860fc973 100644 --- a/libavfilter/vf_displace.c +++ b/libavfilter/vf_displace.c @@ -36,7 +36,8 @@ enum EdgeMode { typedef struct DisplaceContext { const AVClass *class; int width[4], height[4]; - enum EdgeMode edge; + /* enum EdgeMode */ + int edge; int nb_planes; int nb_components; int step; diff --git a/libavfilter/vf_framepack.c b/libavfilter/vf_framepack.c index 2c393d7f43..5480ef0fc1 100644 --- a/libavfilter/vf_framepack.c +++ b/libavfilter/vf_framepack.c @@ -45,7 +45,8 @@ typedef struct FramepackContext { int depth; const AVPixFmtDescriptor *pix_desc; ///< agreed pixel format - enum AVStereo3DType format; ///< frame pack type output + /* enum AVStereo3DType */ + int format; ///< frame pack type output AVFrame *input_views[2]; ///< input frames } FramepackContext; diff --git a/libavfilter/vf_libplacebo.c b/libavfilter/vf_libplacebo.c index e355f658f7..0135540316 100644 --- a/libavfilter/vf_libplacebo.c +++ b/libavfilter/vf_libplacebo.c @@ -206,7 +206,8 @@ typedef struct LibplaceboContext { float pad_crop_ratio; float corner_rounding; char *lut_filename; - enum pl_lut_type lut_type; + /* enum pl_lut_type */ + int lut_type; int force_original_aspect_ratio; int force_divisible_by; int reset_sar; diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index ba5c512e03..27ac4a5d29 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -165,7 +165,8 @@ typedef struct MIContext { const AVClass *class; AVMotionEstContext me_ctx; AVRational frame_rate; - enum MIMode mi_mode; + /* enum MIMode */ + int mi_mode; int mc_mode; int me_mode; int me_method; diff --git a/libavfilter/vf_tiltandshift.c b/libavfilter/vf_tiltandshift.c index d7bce064bb..05fda4433b 100644 --- a/libavfilter/vf_tiltandshift.c +++ b/libavfilter/vf_tiltandshift.c @@ -52,8 +52,8 @@ typedef struct TiltandshiftContext { int tilt; /* initial or final actions to perform (pad/hold a frame/black/nothing) */ - enum PaddingOption start; - enum PaddingOption end; + int start; + int end; /* columns to hold or pad at the beginning or at the end (respectively) */ int hold; diff --git a/libavfilter/vf_tonemap.c b/libavfilter/vf_tonemap.c index 6536549daf..54811ca40b 100644 --- a/libavfilter/vf_tonemap.c +++ b/libavfilter/vf_tonemap.c @@ -53,7 +53,8 @@ enum TonemapAlgorithm { typedef struct TonemapContext { const AVClass *class; - enum TonemapAlgorithm tonemap; + /* enum TonemapAlgorithm */ + int tonemap; double param; double desat; double peak; diff --git a/libavfilter/vf_tonemap_opencl.c b/libavfilter/vf_tonemap_opencl.c index 2c1b0a007d..2f47cfd49f 100644 --- a/libavfilter/vf_tonemap_opencl.c +++ b/libavfilter/vf_tonemap_opencl.c @@ -57,7 +57,8 @@ typedef struct TonemapOpenCLContext { enum AVColorRange range, range_in, range_out; enum AVChromaLocation chroma_loc; - enum TonemapAlgorithm tonemap; + /* enum TonemapAlgorithm */ + int tonemap; enum AVPixelFormat format; double peak; double param; diff --git a/libavfilter/vsrc_perlin.c b/libavfilter/vsrc_perlin.c index 46c226ef91..1e52e93935 100644 --- a/libavfilter/vsrc_perlin.c +++ b/libavfilter/vsrc_perlin.c @@ -41,7 +41,8 @@ typedef struct PerlinContext { int octaves; double persistence; unsigned int random_seed; - enum FFPerlinRandomMode random_mode; + /* enum FFPerlinRandomMode */ + int random_mode; double xscale, yscale, tscale; uint64_t pts; diff --git a/libavfilter/vsrc_testsrc_vulkan.c b/libavfilter/vsrc_testsrc_vulkan.c index cb3c787213..ee0cfe254c 100644 --- a/libavfilter/vsrc_testsrc_vulkan.c +++ b/libavfilter/vsrc_testsrc_vulkan.c @@ -51,7 +51,8 @@ typedef struct TestSrcVulkanContext { int w, h; int pw, ph; char *out_format_string; - enum AVColorRange out_range; + /* enum AVColorRange */ + int out_range; unsigned int nb_frame; AVRational time_base, frame_rate; int64_t pts; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
