PR #22300 opened by yuyong05 URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22300 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22300.patch
The issue is caused by floating-point to integer overflow conversion at function av_clip_int16(p->filter_out[i + p->order]). The float value is -2,441,986,048.0 out of bound, less than INT_MIN(-2,147,483,648), which leads to UB and SIGILL crash. - Handle NAN using isfinite() - Clip float value into valid range of int16 with av_clipf >From 93a0975bac8d0dc371da04195210c7cd6070646b Mon Sep 17 00:00:00 2001 From: Yong Yu <[email protected]> Date: Thu, 26 Feb 2026 13:35:10 -0800 Subject: [PATCH] avcodec/cngdec: Fix SIGILL issue in cng_decode_frame() The issue is caused by floating-point to integer overflow conversion at function av_clip_int16(p->filter_out[i + p->order]). The float value is -2,441,986,048.0 out of bound, less than INT_MIN(-2,147,483,648), which leads to UB and SIGILL crash. - Handle NAN using isfinite() - Clip float value into valid range of int16 with av_clipf --- libavcodec/cngdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index eb37c33eb4..b46f5fef95 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -153,8 +153,10 @@ static int cng_decode_frame(AVCodecContext *avctx, AVFrame *frame, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; buf_out = (int16_t *)frame->data[0]; - for (i = 0; i < avctx->frame_size; i++) - buf_out[i] = av_clip_int16(p->filter_out[i + p->order]); + for (i = 0; i < avctx->frame_size; i++) { + const float f = p->filter_out[i + p->order]; + buf_out[i] = !isfinite(f) ? 0 : lrintf(av_clipf(f, INT16_MIN, INT16_MAX)); + } memcpy(p->filter_out, p->filter_out + avctx->frame_size, p->order * sizeof(*p->filter_out)); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
