PR #22369 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22369 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22369.patch
Happy to open separate pull requests, if prefered This are all of teh remaining swscale issues from this set that replicate here. teh remaining 4 do not replicate for me swscale/output: Fix integer overflow in alpha in yuv2rgba64_1_c_template() ... Fixes: signed integer overflow: -1548257 * 2048 cannot be represented in type 'int' Fixes: #21592 Found-by: HAORAN FANG swscale/utils: Check *Inc ... Fixes: signed integer overflow: -2147483648 - 65536 cannot be represented in type 'int' Fixes: #21588 Found-by: HAORAN FANG avfilter/vf_scale: Fix integer overflow in config_props() ... Fixes: signed integer overflow: 536870944 * 16 cannot be represented in type 'int' Fixes: #21587 Found-by: HAORAN FANG >From 40dd046874119d61b1920a115a85b5639073dab3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 3 Mar 2026 20:24:36 +0100 Subject: [PATCH 1/3] avfilter/vf_scale: Fix integer overflow in config_props() Fixes: signed integer overflow: 536870944 * 16 cannot be represented in type 'int' Fixes: #21587 Found-by: HAORAN FANG Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/vf_scale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 61d3ee0a0f..d113298ff0 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -649,8 +649,8 @@ static int config_props(AVFilterLink *outlink) if (outlink->w > INT_MAX || outlink->h > INT_MAX || - (outlink->h * inlink->w) > INT_MAX || - (outlink->w * inlink->h) > INT_MAX) + (outlink->h * (uint64_t)inlink->w) > INT_MAX || + (outlink->w * (uint64_t)inlink->h) > INT_MAX) av_log(ctx, AV_LOG_ERROR, "Rescaled value for width or height is too big.\n"); /* TODO: make algorithm configurable */ -- 2.52.0 >From e8714243e3319ac0a0883dabb9c9900c8235366f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 3 Mar 2026 20:41:30 +0100 Subject: [PATCH 2/3] swscale/utils: Check *Inc Fixes: signed integer overflow: -2147483648 - 65536 cannot be represented in type 'int' Fixes: #21588 Found-by: HAORAN FANG Signed-off-by: Michael Niedermayer <[email protected]> --- libswscale/utils.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 90839817d8..77ca3207cf 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1223,8 +1223,8 @@ av_cold int ff_sws_init_single_context(SwsContext *sws, SwsFilter *srcFilter, if (!srcFilter) srcFilter = &dummyFilter; - c->lumXInc = (((int64_t)srcW << 16) + (dstW >> 1)) / dstW; - c->lumYInc = (((int64_t)srcH << 16) + (dstH >> 1)) / dstH; + int64_t lumXInc = (((int64_t)srcW << 16) + (dstW >> 1)) / dstW; + int64_t lumYInc = (((int64_t)srcH << 16) + (dstH >> 1)) / dstH; c->dstFormatBpp = av_get_bits_per_pixel(desc_dst); c->srcFormatBpp = av_get_bits_per_pixel(desc_src); c->vRounder = 4 * 0x0001000100010001ULL; @@ -1401,8 +1401,8 @@ av_cold int ff_sws_init_single_context(SwsContext *sws, SwsFilter *srcFilter, } else c->canMMXEXTBeUsed = 0; - c->chrXInc = (((int64_t)c->chrSrcW << 16) + (c->chrDstW >> 1)) / c->chrDstW; - c->chrYInc = (((int64_t)c->chrSrcH << 16) + (c->chrDstH >> 1)) / c->chrDstH; + int64_t chrXInc = (((int64_t)c->chrSrcW << 16) + (c->chrDstW >> 1)) / c->chrDstW; + int64_t chrYInc = (((int64_t)c->chrSrcH << 16) + (c->chrDstH >> 1)) / c->chrDstH; /* Match pixel 0 of the src to pixel 0 of dst and match pixel n-2 of src * to pixel n-2 of dst, but only for the FAST_BILINEAR mode otherwise do @@ -1413,15 +1413,26 @@ av_cold int ff_sws_init_single_context(SwsContext *sws, SwsFilter *srcFilter, * some special code for the first and last pixel */ if (flags & SWS_FAST_BILINEAR) { if (c->canMMXEXTBeUsed) { - c->lumXInc += 20; - c->chrXInc += 20; + lumXInc += 20; + chrXInc += 20; } // we don't use the x86 asm scaler if MMX is available else if (INLINE_MMX(cpu_flags) && c->dstBpc <= 14) { - c->lumXInc = ((int64_t)(srcW - 2) << 16) / (dstW - 2) - 20; - c->chrXInc = ((int64_t)(c->chrSrcW - 2) << 16) / (c->chrDstW - 2) - 20; + lumXInc = ((int64_t)(srcW - 2) << 16) / (dstW - 2) - 20; + chrXInc = ((int64_t)(c->chrSrcW - 2) << 16) / (c->chrDstW - 2) - 20; } } + if (chrXInc < 10 || chrXInc > INT_MAX || + chrYInc < 10 || chrYInc > INT_MAX || + lumXInc < 10 || lumXInc > INT_MAX || + lumYInc < 10 || lumYInc > INT_MAX) + return AVERROR_PATCHWELCOME; + + c->lumXInc = lumXInc; + c->lumYInc = lumYInc; + c->chrXInc = chrXInc; + c->chrYInc = chrYInc; + // hardcoded for now c->gamma_value = 2.2; -- 2.52.0 >From a8e2a978fbfea602017df8f9c8dd0173ec6f982a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 3 Mar 2026 20:56:31 +0100 Subject: [PATCH 3/3] swscale/output: Fix integer overflow in alpha in yuv2rgba64_1_c_template() Fixes: signed integer overflow: -1548257 * 2048 cannot be represented in type 'int' Fixes: #21592 Found-by: HAORAN FANG Signed-off-by: Michael Niedermayer <[email protected]> --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 94454860c3..b6e82319f4 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1270,7 +1270,7 @@ yuv2rgba64_1_c_template(SwsInternal *c, const int32_t *buf0, { const int32_t *ubuf0 = ubuf[0], *vbuf0 = vbuf[0]; int i; - int A1 = 0xffff<<14, A2= 0xffff<<14; + SUINT A1 = 0xffff<<14, A2= 0xffff<<14; if (uvalpha == 0) { for (i = 0; i < ((dstW + 1) >> 1); i++) { @@ -1288,8 +1288,8 @@ yuv2rgba64_1_c_template(SwsInternal *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] * (1 << 11); - A2 = abuf0[i * 2 + 1] * (1 << 11); + A1 = abuf0[i * 2 ] * (SUINT)(1 << 11); + A2 = abuf0[i * 2 + 1] * (SUINT)(1 << 11); A1 += 1 << 13; A2 += 1 << 13; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
