PR #22365 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22365 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22365.patch
I can open separate PRs if preferred swscale/output: Fixes integer overflow in yuv2planeX_8_c ... Fixes: integer overflow (does not replicate, but looks like it should overflow with some craftet parameters) Fixes: #21584 Found-by: HAORAN FANG swscale/utils: initialize chroma when luma switched to cascade ... When luma init switched to cascade the chroma init was skiped Fixes: NULL pointer dereference Fixes: #21583 Found-by: HAORAN FANG >From 7d41a1849df61cc9a5637b22a1f45a79a6ccc64e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 3 Mar 2026 18:10:28 +0100 Subject: [PATCH 1/2] swscale/utils: initialize chroma when luma switched to cascade When luma init switched to cascade the chroma init was skiped Fixes: NULL pointer dereference Fixes: #21583 Found-by: HAORAN FANG Signed-off-by: Michael Niedermayer <[email protected]> --- libswscale/utils.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 90839817d8..ef473f3574 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1709,13 +1709,15 @@ av_cold int ff_sws_init_single_context(SwsContext *sws, SwsFilter *srcFilter, PPC_ALTIVEC(cpu_flags) ? 8 : have_neon(cpu_flags) ? 2 : 1; - if ((ret = initFilter(&c->vLumFilter, &c->vLumFilterPos, &c->vLumFilterSize, + ret = initFilter(&c->vLumFilter, &c->vLumFilterPos, &c->vLumFilterSize, c->lumYInc, srcH, dstH, filterAlign, (1 << 12), (flags & SWS_BICUBLIN) ? (flags | SWS_BICUBIC) : flags, cpu_flags, srcFilter->lumV, dstFilter->lumV, sws->scaler_params, get_local_pos(c, 0, 0, 1), - get_local_pos(c, 0, 0, 1))) < 0) + get_local_pos(c, 0, 0, 1)); + int usecascade = (ret == RETCODE_USE_CASCADE); + if (ret < 0 && !usecascade) goto fail; if ((ret = initFilter(&c->vChrFilter, &c->vChrFilterPos, &c->vChrFilterSize, c->chrYInc, c->chrSrcH, c->chrDstH, @@ -1727,6 +1729,10 @@ av_cold int ff_sws_init_single_context(SwsContext *sws, SwsFilter *srcFilter, get_local_pos(c, c->chrDstVSubSample, sws->dst_v_chr_pos, 1))) < 0) goto fail; + if (usecascade) { + ret = RETCODE_USE_CASCADE; + goto fail; + } #if HAVE_ALTIVEC ret = ff_sws_init_altivec_bufs(c); -- 2.52.0 >From 55a985287e5e55ea85761294bd64d2dd1ef10a17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 3 Mar 2026 18:23:39 +0100 Subject: [PATCH 2/2] swscale/output: Fixes integer overflow in yuv2planeX_8_c Fixes: integer overflow (does not replicate, but looks like it should overflow with some craftet parameters) Fixes: #21584 Found-by: HAORAN FANG Signed-off-by: Michael Niedermayer <[email protected]> --- libswscale/output.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 94454860c3..d660eeb12a 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -473,8 +473,10 @@ static void yuv2planeX_8_c(const int16_t *filter, int filterSize, for (i=0; i<dstW; i++) { int val = dither[(i + offset) & 7] << 12; int j; - for (j=0; j<filterSize; j++) - val += src[j][i] * filter[j]; + for (j=0; j<filterSize; j++) { + val += (unsigned)(src[j][i] * filter[j]); + + } dest[i]= av_clip_uint8(val>>19); } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
