From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 19C294DC53
	for <ffmpegdev@gitmailbox.com>; Sun,  4 Jan 2026 00:32:55 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'Ikj+i7Y3gwcv2Mcsun0OnfC4GpD3Oz/ZLFnuLYxm2Do=', expected 
   b'iSfa+z/sdxC/vlQTGBtJczo7Skkdwj0m3PBpZBUpF3w=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767486757; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=Ikj+i7Y3gwcv2Mcsun0OnfC4GpD3Oz/ZLFnuLYxm2Do=;
 b=a8Y+lzCb9HJ5Z13vNlKRou8FvNBZDkwK8tCGCYDJp08XcCPoNiBcTSXwon26xISiSlFLU
 g2h0Mo2QdMsyWu2yEjfprJiEiBiUOrz6hkAnjVOvQ8g+Tr1LLRPj0hqN2U2FzoMBJVlNTGm
 xqd6yaq471Ywu6YURdqYPWKQ5fsaUKrqIKMCL5BZmpi6JsIJs0V0eNE3sa/WRJ4X1NG1eCX
 I1pLMCtCITOm7U9UucKXsqhRXXB+zxUoEYVBI8C2z+2BFSNhMpWBdOFyReQoW4WyP2UWPhX
 zo7hSdKXmPSTliQ1+EKd6BHVDylZcIp46iSYtsRJ0y9PLa6fh0F/QySp4SiQ==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 8F3BE690D3E;
	Sun,  4 Jan 2026 02:32:37 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767486740;
 b=C/Drkdpar5QZNPjVTKvAs7/HHsp2/b1AkngmvNB8dNgJigGD7aMeIROIydibvX5YSvVUm
 q4jbGZI5AxTgy/FEe2ttWLyOHL8Mpi350LrXhQlVLiLjMvSax8SZPoed6Ng6sytIe4ESSaN
 9V+KydNmKYyFgwZYorC+tBRf+khlJN1jnSc2nldhW6jsFxM2EzRBRiqI7aL0WnmJ1MTXpWI
 oAuGlgbqAqr6/Aug8GJagyNe7HXQ7Yi3HpkCTbmfDKYZP1VvzrAZZjQmCgXqZ5+K7oO/O+3
 FCTVDLWstcd3fwFVHJn1SXa6+vFuZFe/LEIHdHiGbcC8v1MsTDjNuc7SDkDA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1767486740; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=Tw+sIm/lflj4DgnAGg83LsS1turUb/32HXYYmTYdDwQ=;
 b=EWwyLQ5xuctnKy12k8vAU5NZPg59ajaShOqQIa8C0/Z2RpAUW9WAD4ZpLATJTJNlKTWhG
 g6YYFOsccFnV2NE3is6hclUww/GYTnb7pK8ApNONt/VdJvj39l6zAs+wUNI7FjAiDNUwApm
 V0FkOKE2+w/4gLdJBETuj4Wt1154XHoigvB1G9cBacPcjUgd22F3NnEpMHxNUvgRFJb6Gj8
 hu2PJboKkdlyykFYEAp8era9mMJw+VjGEVJMbg1j/j4QkBy/RX9VYD83FET1/GwuIrbOauK
 muV3cgcoqJJ25ukWn9SZUS8vvnvV610ZWWNAUC0BqhhIBVD8F7psyay4WB0Q==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767486731; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=iSfa+z/sdxC/vlQTGBtJczo7Skkdwj0m3PBpZBUpF3w=;
 b=kjL7veq2+DVsYKkfI17ws2JfuGLEvwV26GV8sShXq+fiPf+MzHlEulnwsh8/CJYx4ltgV
 CU/RPJMqDKwPUf3Z1SqXPBsbjlcvq0AoblHel2q4lHHMaSVuLsYv2rvWRkyoWp8JXeR2vBc
 acqSTzhkc/24LsbJemp92IiMvjH0p+xsb4gJ6yZf0BDPQnt9IDMf808nM/ACQ2xwpma+2np
 CEOf4w20fLt6JE+BldTbkdQBZNfl6kYYJAz2T8VN6ejBL+qmxsg1HT4wmxEVgE+Huu9WifW
 N9kh4yJPd+FHFggK69FuBpQc1ZyD0aCb1bklpQwiiPhfbj1p4YXiZT9EhEiA==
Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id E3290690502
	for <ffmpeg-devel@ffmpeg.org>; Sun,  4 Jan 2026 02:32:10 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 04 Jan 2026 00:32:10 -0000
Message-ID: <176748673123.25.16261856486905631974@4457048688e7>
Message-ID-Hash: NXUIJUYVMWRVHIQY26C5GIRNWQED7KMG
X-Message-ID-Hash: NXUIJUYVMWRVHIQY26C5GIRNWQED7KMG
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avfilter/vf_stack: add checks for the final canvas
 dimensions (PR #21369)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/NXUIJUYVMWRVHIQY26C5GIRNWQED7KMG/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176748673123.25.16261856486905631974@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: James Almer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: James Almer <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176748673123.25.16261856486905631974@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21369 opened by James Almer (jamrial)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21369
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21369.patch

Prevents potential integer overflows when trying to stitch absurdly huge images together.

Fixes #YWH-PGM40646-38.


>>From 4fad1367040e093c8a52f4f34054e4feb5203243 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Sat, 3 Jan 2026 21:31:30 -0300
Subject: [PATCH] avfilter/vf_stack: add checks for the final canvas dimensions

Prevents potential integer overflows when trying to stitch absurdly huge images together.

Fixes #YWH-PGM40646-38.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavfilter/vf_stack.c | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/libavfilter/vf_stack.c b/libavfilter/vf_stack.c
index a36e1bab64..6e9ac60a56 100644
--- a/libavfilter/vf_stack.c
+++ b/libavfilter/vf_stack.c
@@ -234,6 +234,8 @@ static int config_output(AVFilterLink *outlink)
                 item->y[1] = item->y[2] = AV_CEIL_RSHIFT(height, s->desc->log2_chroma_h);
                 item->y[0] = item->y[3] = height;
 
+                if (height > INT_MAX - ctx->inputs[i]->h)
+                    return AVERROR(EINVAL);
                 height += ctx->inputs[i]->h;
             }
         }
@@ -259,6 +261,8 @@ static int config_output(AVFilterLink *outlink)
                     return ret;
                 }
 
+                if (width > INT_MAX - ctx->inputs[i]->w)
+                    return AVERROR(EINVAL);
                 width += ctx->inputs[i]->w;
             }
         }
@@ -294,8 +298,13 @@ static int config_output(AVFilterLink *outlink)
 
                 item->y[1] = item->y[2] = AV_CEIL_RSHIFT(inh, s->desc->log2_chroma_h);
                 item->y[0] = item->y[3] = inh;
+
+                if (inw > INT_MAX - ctx->inputs[k]->w)
+                    return AVERROR(EINVAL);
                 inw += ctx->inputs[k]->w;
             }
+            if (height > INT_MAX - row_height)
+                return AVERROR(EINVAL);
             height += row_height;
             if (!i)
                 width = inw;
@@ -351,26 +360,41 @@ static int config_output(AVFilterLink *outlink)
                         if (size == i || size < 0 || size >= s->nb_inputs)
                             return AVERROR(EINVAL);
 
-                        if (!j)
+                        if (!j) {
+                            if (inw > INT_MAX - ctx->inputs[size]->w)
+                                return AVERROR(EINVAL);
                             inw += ctx->inputs[size]->w;
-                        else
+                        } else {
+                            if (inh > INT_MAX - ctx->inputs[size]->w)
+                                return AVERROR(EINVAL);
                             inh += ctx->inputs[size]->w;
+                        }
                     } else if (sscanf(arg3, "h%d", &size) == 1) {
                         if (size == i || size < 0 || size >= s->nb_inputs)
                             return AVERROR(EINVAL);
 
-                        if (!j)
+                        if (!j) {
+                            if (inw > INT_MAX - ctx->inputs[size]->h)
+                                return AVERROR(EINVAL);
                             inw += ctx->inputs[size]->h;
-                        else
+                        } else {
+                            if (inh > INT_MAX - ctx->inputs[size]->h)
+                                return AVERROR(EINVAL);
                             inh += ctx->inputs[size]->h;
+                        }
                     } else if (sscanf(arg3, "%d", &size) == 1) {
                         if (size < 0)
                             return AVERROR(EINVAL);
 
-                        if (!j)
+                        if (!j) {
+                            if (inw > INT_MAX - size)
+                                return AVERROR(EINVAL);
                             inw += size;
-                        else
+                        } else {
+                            if (inh > INT_MAX - size)
+                                return AVERROR(EINVAL);
                             inh += size;
+                        }
                     } else {
                         return AVERROR(EINVAL);
                     }
@@ -384,6 +408,8 @@ static int config_output(AVFilterLink *outlink)
             item->y[1] = item->y[2] = AV_CEIL_RSHIFT(inh, s->desc->log2_chroma_h);
             item->y[0] = item->y[3] = inh;
 
+            if (inlink->w > INT_MAX - inw || inlink->h > INT_MAX - inh)
+                return AVERROR(EINVAL);
             width  = FFMAX(width,  inlink->w + inw);
             height = FFMAX(height, inlink->h + inh);
         }
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org