[FFmpeg-devel] [PR] avcodec/diracdec: Enlarge `mctmp` to cover the worst-case `blheight·ybsep + yblen` rows, and break the MC loop when no output rows remain (PR #23109)

[michaelni via ffmpeg-devel]

PR #23109 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23109
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23109.patch

Fixes: ffmpeg_ANT-2026-02842_dirac-mctmp-heap-overflow

Discovered by Claude (Anthropic). Confirmed and reported by Thai Duong 
(Calif.io).

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>


>From a4f5ee047281ae89af46ac49526bbb04ff96f52f Mon Sep 17 00:00:00 2001
From: Thai Duong <t...@calif.io>
Date: Sat, 16 May 2026 04:54:36 +0200
Subject: [PATCH] =?UTF-8?q?avcodec/diracdec:=20Enlarge=20`mctmp`=20to=20co?=
 =?UTF-8?q?ver=20the=20worst-case=20`blheight=C2=B7ybsep=20+=20yblen`=20ro?=
 =?UTF-8?q?ws,=20and=20break=20the=20MC=20loop=20when=20no=20output=20rows?=
 =?UTF-8?q?=20remain?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: ffmpeg_ANT-2026-02842_dirac-mctmp-heap-overflow

Discovered by Claude (Anthropic). Confirmed and reported by Thai Duong 
(Calif.io).

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 2eabf74274..2a047c0bb9 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -341,7 +341,7 @@ static int alloc_buffers(DiracContext *s, int stride)
 
     s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE);
 
-    s->mctmp     = av_malloc_array((stride+MAX_BLOCKSIZE), (h+MAX_BLOCKSIZE) * 
sizeof(*s->mctmp));
+    s->mctmp     = av_malloc_array((stride+MAX_BLOCKSIZE), (h + 
5*MAX_BLOCKSIZE) * sizeof(*s->mctmp));
     s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE);
 
     if (!s->edge_emu_buffer_base || !s->mctmp || !s->mcscratch)
@@ -1944,7 +1944,7 @@ static int dirac_decode_frame_internal(DiracContext *s)
                     h = p->height - start;
                 else
                     h = p->ybsep - (start - dsty);
-                if (h < 0)
+                if (h <= 0)
                     break;
 
                 memset(mctmp+2*p->yoffset*p->stride, 0, 2*rowheight);
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-le...@ffmpeg.org