From: Timo Rothenpieler via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: Timo Rothenpieler <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avfilter/vf_find_rect: fix missing bounds checking in frame compare() function (PR #21456)
Date: Tue, 13 Jan 2026 23:00:56 -0000
Message-ID: <176834527506.25.18267697070388951310@4457048688e7> (raw)
PR #21456 opened by Timo Rothenpieler (BtbN)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21456
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21456.patch
There was so far zero bounds checking here.
If the frame that's being searched in is smaller than the object being searched for or shifted around too far using the offset, the function would happily read beyond the frame's bounds.
Rather than checking at filter init time, I opted to add the check right here, since frame sizes might change at runtime for various reasons, so just checking right here to never over/under read seems better to me.
Fixes #YWH-PGM40646-15
>From 25402bb760f5bee149d0eb0a9a66ca601f3f3702 Mon Sep 17 00:00:00 2001
From: Timo Rothenpieler <timo@rothenpieler.org>
Date: Tue, 13 Jan 2026 23:57:39 +0100
Subject: [PATCH] avfilter/vf_find_rect: fix missing bounds checking in frame
compare() function
Fixes #YWH-PGM40646-15
---
libavfilter/vf_find_rect.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c
index b0be1a6f11..8c983dbf12 100644
--- a/libavfilter/vf_find_rect.c
+++ b/libavfilter/vf_find_rect.c
@@ -126,8 +126,14 @@ static float compare(const AVFrame *haystack, const AVFrame *obj, int offx, int
const uint8_t *hdat = haystack->data[0] + offx + offy * haystack->linesize[0];
int64_t o_sigma, h_sigma;
- for(y = 0; y < obj->height; y++) {
- for(x = 0; x < obj->width; x++) {
+ int64_t comp_w = FFMIN((int64_t)haystack->width - offx, obj->width);
+ int64_t comp_h = FFMIN((int64_t)haystack->height - offy, obj->height);
+
+ if (offx >= haystack->width || offy >= haystack->height || comp_w <= 0 || comp_h <= 0)
+ return 1.0;
+
+ for(y = 0; y < comp_h; y++) {
+ for(x = 0; x < comp_w; x++) {
int o_v = odat[x];
int h_v = hdat[x];
o_sum_v += o_v;
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2026-01-13 23:09 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=176834527506.25.18267697070388951310@4457048688e7 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git