From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id E600C4DCDB for ; Sat, 3 Jan 2026 20:57:06 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'S3prQr2knF5TwpqVd5iciZj2v8DFseI2wxgQNgz9TsQ=', expected b'aG2HsK/jqA3wkcYm8AYSAmafugahc8KhZF7p/2GQJls=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767473814; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=S3prQr2knF5TwpqVd5iciZj2v8DFseI2wxgQNgz9TsQ=; b=JLD0YzS4ZvA/aF7PKx1I6VdlLPyWRVJvjsMA5gwOBMwF6gkFwcFlqaGi2xq1qS0NmdFMz u8eBUv17p9R6H1jxP2l/Jo0sqk/8i38jtwnYC1pce9AbiwVIdd1J3abMkhPM3Q1olNex1ZO oPPG41VTpdJAKpNbKHMs6IC27QXK3DdJP6wF1ulkWN7sCgoag7zEUnL64Ujm4kAvx8X8zTI l1POPYXn8t6cJbjAwfqLXgeDD5UpRE+xNUWwL3w79VUECejFg8bBcjzBrzQUe0mav2FyBZg woeMH9F2z+0B78/C9s67eHyRqZwWIjdntYvFvUBZk7HSN93L7PKxwYcz35yQ== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 8951F690D32; Sat, 3 Jan 2026 22:56:54 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767473799; b=rko7aHV62tkioPBRrhDjLFnZDf1QDZyp3d2Bm/Qp5UIurLdzlbf4i4qble+42skZkRPk1 6ZLjM9U/Tb/9psE5N3BD3E24jZGdYPPitc/Xf7AMddcnRCw/D8zsDLdNk2uwmQ7AJJTdaDn pxcW0fWurFNrT1U2fTF2oaNrwhm3DF5/nN/IChrfxz5+qBxU/KENrzxrQ/3ZPiyzhpKqTLK mvzrnyvtEbfI2oe4kN53OqXxdrDnyYKBqOB5I1f5Bc83CBjnA5HIM7uujVNfMHuoy3yeKs9 scfMttA3RgdRviywnLWEIDcrah5v05tn7mYeU65jA5wyCio409cPlWtoPHrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767473799; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=dBocmYl18LLwiixBYyvywLzSr9RcgWZ1s5v5LYStrWU=; b=nPSntpVN5cJk7q1nG4IPIFM0XwyQjyR67cdDSZ86C99NLts6nHkawVt7qxbKNJM08wVIb DpWFDqJZK3IwknlPBofJ/mz2j8BfVP4eGXME3vD0kpbrGKXsRSbGZQl+WU/ATIs+N5BusLO OIv7xCHGIbYjKcSVGxejJdX0Ts9Fh+1YUP2X7LLDet1Tmu705kNtC/d2WRawWatsH8W18o2 QottYOWdKtbuIybzhmwU9G0Hs3+tWiKETQuWiP41jXT6JtcpjCOr3NGAwrYbpt8Sq1wNxU6 Q81n4pEIecllQi3jeFuunHdL1oDNejhOgpAezP1bjIvfx9rP1RfhtyNSKrgA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767473790; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=aG2HsK/jqA3wkcYm8AYSAmafugahc8KhZF7p/2GQJls=; b=I8XY6yEnSOSLen3HRYgXFOWIyWhU0pt2McZ7qd5AO0KisWxvS3f6m6vZlhU61+d8mcDeu CVqpHxqjyWlcu8urBL9D1Wmfs/Ku2Pq28gbrLWXuNPutVlsx7AmlYZV9aUDQyunlaa9tGaR oB0+tQOvbR4tLK9AFawzsp7Qxsphf9CjRXYaRFCPY14ozFtHnXkfUM4cjaULU50hfL/aDLv wqUBY70u76nTn2e66XnWs50riuQi/ZfDPwlD/8GWDS26bz1wJEClO1zg4hy0rETarbFWpor pr+FJZDCxWtECSF456w7mk3Kw5OuJASXx0IdEU2L3zEezLBPbLIPE5zVVQHg== Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id D6FBA690270 for ; Sat, 3 Jan 2026 22:56:30 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Sat, 03 Jan 2026 20:56:30 -0000 Message-ID: <176747379104.25.5002799822713600938@4457048688e7> Message-ID-Hash: ESYYFJZIXBFGNVXZEDH4A5MC2WJ5O37X X-Message-ID-Hash: ESYYFJZIXBFGNVXZEDH4A5MC2WJ5O37X X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avfilter/vf_convolution: various heap over/underflow fixes (PR #21368) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Timo Rothenpieler via ffmpeg-devel Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21368 opened by Timo Rothenpieler (BtbN) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21368 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21368.patch Without all this extra clamping, the filter would happily over- and underflow the input and output image buffers. Fixes #YWH-PGM40646-36 >>From 8e2079c53e35a99a81382f2428862153f3a4d928 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 3 Jan 2026 21:23:02 +0100 Subject: [PATCH 1/3] avfilter/vf_convolution: clamp column and row offsets to actual width/height of buffer Otherwise the buffer might be dramatically under or over-read. --- libavfilter/vf_convolution.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_convolution.c b/libavfilter/vf_convolution.c index ce42df2cde..2c4f706449 100644 --- a/libavfilter/vf_convolution.c +++ b/libavfilter/vf_convolution.c @@ -554,7 +554,7 @@ static void setup_row(int radius, const uint8_t *c[], const uint8_t *src, int st for (i = 0; i < radius * 2 + 1; i++) { int xoff = FFABS(x + i - radius); - xoff = xoff >= w ? 2 * w - 1 - xoff : xoff; + xoff = FFMIN(FFMAX(xoff >= w ? 2 * w - 1 - xoff : xoff, 0), w - 1); c[i] = src + xoff * bpc + y * stride; } @@ -568,7 +568,7 @@ static void setup_column(int radius, const uint8_t *c[], const uint8_t *src, int for (i = 0; i < radius * 2 + 1; i++) { int xoff = FFABS(x + i - radius); - xoff = xoff >= h ? 2 * h - 1 - xoff : xoff; + xoff = FFMIN(FFMAX(xoff >= h ? 2 * h - 1 - xoff : xoff, 0), h - 1); c[i] = src + y * bpc + xoff * stride; } -- 2.49.1 >>From a16db608a5246c82f660db4f2b80776887ecbc43 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 3 Jan 2026 21:45:41 +0100 Subject: [PATCH 2/3] avfilter/vf_convolution: don't over-read input stride in filter_column --- libavfilter/vf_convolution.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_convolution.c b/libavfilter/vf_convolution.c index 2c4f706449..81f66dcdac 100644 --- a/libavfilter/vf_convolution.c +++ b/libavfilter/vf_convolution.c @@ -502,11 +502,12 @@ static void filter_column(uint8_t *dst, int height, memset(sum, 0, sizeof(sum)); for (int i = 0; i < 2 * radius + 1; i++) { - for (int off16 = 0; off16 < 16; off16++) + for (int off16 = 0; off16 < 16 && off16 < stride; off16++) { sum[off16] += c[i][0 + y * stride + off16] * matrix[i]; + } } - for (int off16 = 0; off16 < 16; off16++) { + for (int off16 = 0; off16 < 16 && off16 < stride && off16 < dstride; off16++) { sum[off16] = (int)(sum[off16] * rdiv + bias + 0.5f); dst[off16] = av_clip_uint8(sum[off16]); } -- 2.49.1 >>From 9f5c6a8f6de328af4d577d9156d7acdb0b10f0ae Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 3 Jan 2026 21:53:23 +0100 Subject: [PATCH 3/3] avfilter/vf_convolution: clamp x and y offsets to actual width/height of the image Without this, if the input/output are sufficiently small enough, this will over-write and read the buffers by however much the radius or slice-size is. Fixes #YWH-PGM40646-36 --- libavfilter/vf_convolution.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavfilter/vf_convolution.c b/libavfilter/vf_convolution.c index 81f66dcdac..2902d6117e 100644 --- a/libavfilter/vf_convolution.c +++ b/libavfilter/vf_convolution.c @@ -615,12 +615,16 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) continue; } for (y = slice_start; y < slice_end; y += step) { - const int xoff = mode == MATRIX_COLUMN ? (y - slice_start) * bpc : radius * bpc; - const int yoff = mode == MATRIX_COLUMN ? radius * dstride : 0; + int xoff = mode == MATRIX_COLUMN ? (y - slice_start) * bpc : radius * bpc; + int yoff = mode == MATRIX_COLUMN ? radius * dstride : 0; + xoff = FFMIN(FFMAX(xoff, 0), width); + yoff = FFMIN(FFMAX(yoff, 0), height); for (x = 0; x < radius; x++) { - const int xoff = mode == MATRIX_COLUMN ? (y - slice_start) * bpc : x * bpc; - const int yoff = mode == MATRIX_COLUMN ? x * dstride : 0; + int xoff = mode == MATRIX_COLUMN ? (y - slice_start) * bpc : x * bpc; + int yoff = mode == MATRIX_COLUMN ? x * dstride : 0; + xoff = FFMIN(FFMAX(xoff, 0), width); + yoff = FFMIN(FFMAX(yoff, 0), height); s->setup[plane](radius, c, src, stride, x, width, y, height, bpc); s->filter[plane](dst + yoff + xoff, 1, rdiv, @@ -632,8 +636,10 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) rdiv, bias, matrix, c, s->max, radius, dstride, stride, slice_end - step); for (x = sizew - radius; x < sizew; x++) { - const int xoff = mode == MATRIX_COLUMN ? (y - slice_start) * bpc : x * bpc; - const int yoff = mode == MATRIX_COLUMN ? x * dstride : 0; + int xoff = mode == MATRIX_COLUMN ? (y - slice_start) * bpc : x * bpc; + int yoff = mode == MATRIX_COLUMN ? x * dstride : 0; + xoff = FFMIN(FFMAX(xoff, 0), width); + yoff = FFMIN(FFMAX(yoff, 0), height); s->setup[plane](radius, c, src, stride, x, width, y, height, bpc); s->filter[plane](dst + yoff + xoff, 1, rdiv, -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org