PR #23469 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23469 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23469.patch
avfilter/avf_showcwt: avoid undefined float to int conversion of nb_consumed_samples avfilter/avf_showcwt: fix out of array read in compute_kernel avfilter/avf_showcwt: fix out of array write in DIRECTION_DU EOF fill >From 40226211f01782359f22da3bb17a919503f8df71 Mon Sep 17 00:00:00 2001 From: jiale yao <[email protected]> Date: Fri, 12 Jun 2026 19:27:35 +0200 Subject: [PATCH 1/3] avfilter/avf_showcwt: fix out of array write in DIRECTION_DU EOF fill Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/avf_showcwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/avf_showcwt.c b/libavfilter/avf_showcwt.c index 4c4edaa768..1ea60174cb 100644 --- a/libavfilter/avf_showcwt.c +++ b/libavfilter/avf_showcwt.c @@ -1167,7 +1167,7 @@ static int output_frame(AVFilterContext *ctx) ptrdiff_t linesize = s->outpicref->linesize[p]; const int fill = p > 0 && p < 3 ? 128 : 0; - for (int y = s->h - s->pos; y >= 0; y--) { + for (int y = FFMIN(s->h - s->pos, s->h - 1); y >= 0; y--) { uint8_t *dst = s->outpicref->data[p] + y * linesize; memset(dst, fill, s->w); -- 2.52.0 >From b35dc15a72f0fd1174d678886c64348e17f8319a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 12 Jun 2026 20:21:26 +0200 Subject: [PATCH 2/3] avfilter/avf_showcwt: fix out of array read in compute_kernel Reproduced with a small output (e.g. size=2x2) under ASan. Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/avf_showcwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/avf_showcwt.c b/libavfilter/avf_showcwt.c index 1ea60174cb..9a0ddf3bf9 100644 --- a/libavfilter/avf_showcwt.c +++ b/libavfilter/avf_showcwt.c @@ -753,7 +753,7 @@ static int compute_kernel(AVFilterContext *ctx) } } - for (int n = b; n >= a; n--) { + for (int n = b - 1; n >= a; n--) { if (tkernel[n+range] != 0.f) { if (tkernel[n+range] > FLT_MIN) av_log(ctx, AV_LOG_DEBUG, "out of range kernel %g\n", tkernel[n+range]); -- 2.52.0 >From 88eba06383c8f6d6f3b8fc266774b9b6338c3dee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 12 Jun 2026 20:23:11 +0200 Subject: [PATCH 3/3] avfilter/avf_showcwt: avoid undefined float to int conversion of nb_consumed_samples Reproduced with: ffmpeg -f lavfi -i "sine=frequency=440" -filter_complex \ "[0:a]showcwt=size=32x32:deviation=0[v]" -map "[v]" -f null - Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/avf_showcwt.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavfilter/avf_showcwt.c b/libavfilter/avf_showcwt.c index 9a0ddf3bf9..5c1c2ef937 100644 --- a/libavfilter/avf_showcwt.c +++ b/libavfilter/avf_showcwt.c @@ -808,6 +808,7 @@ static int config_output(AVFilterLink *outlink) float maximum_frequency = fminf(s->maximum_frequency, limit_frequency); float minimum_frequency = s->minimum_frequency; float scale = 1.f, factor; + double nb_samples; int ret; if (minimum_frequency >= maximum_frequency) { @@ -877,11 +878,11 @@ static int config_output(AVFilterLink *outlink) if (!s->frequency_band) return AVERROR(ENOMEM); - s->nb_consumed_samples = inlink->sample_rate * - frequency_band(s->frequency_band, - s->frequency_band_count, maximum_frequency - minimum_frequency, - minimum_frequency, s->frequency_scale, s->deviation); - s->nb_consumed_samples = FFMIN(s->nb_consumed_samples, 65536); + nb_samples = inlink->sample_rate * + frequency_band(s->frequency_band, + s->frequency_band_count, maximum_frequency - minimum_frequency, + minimum_frequency, s->frequency_scale, s->deviation); + s->nb_consumed_samples = av_clip(av_clipd(nb_samples, 1, 65536), 1, 65536); s->nb_threads = FFMIN(s->frequency_band_count, ff_filter_get_nb_threads(ctx)); s->nb_channels = inlink->ch_layout.nb_channels; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
