* [FFmpeg-devel] [PR] avfilter/vf_find_rect: fix missing bounds checking in frame compare() function (PR #21456)
@ 2026-01-13 23:00 Timo Rothenpieler via ffmpeg-devel
0 siblings, 0 replies; only message in thread
From: Timo Rothenpieler via ffmpeg-devel @ 2026-01-13 23:00 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
PR #21456 opened by Timo Rothenpieler (BtbN)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21456
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21456.patch
There was so far zero bounds checking here.
If the frame that's being searched in is smaller than the object being searched for or shifted around too far using the offset, the function would happily read beyond the frame's bounds.
Rather than checking at filter init time, I opted to add the check right here, since frame sizes might change at runtime for various reasons, so just checking right here to never over/under read seems better to me.
Fixes #YWH-PGM40646-15
>From 25402bb760f5bee149d0eb0a9a66ca601f3f3702 Mon Sep 17 00:00:00 2001
From: Timo Rothenpieler <timo@rothenpieler.org>
Date: Tue, 13 Jan 2026 23:57:39 +0100
Subject: [PATCH] avfilter/vf_find_rect: fix missing bounds checking in frame
compare() function
Fixes #YWH-PGM40646-15
---
libavfilter/vf_find_rect.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c
index b0be1a6f11..8c983dbf12 100644
--- a/libavfilter/vf_find_rect.c
+++ b/libavfilter/vf_find_rect.c
@@ -126,8 +126,14 @@ static float compare(const AVFrame *haystack, const AVFrame *obj, int offx, int
const uint8_t *hdat = haystack->data[0] + offx + offy * haystack->linesize[0];
int64_t o_sigma, h_sigma;
- for(y = 0; y < obj->height; y++) {
- for(x = 0; x < obj->width; x++) {
+ int64_t comp_w = FFMIN((int64_t)haystack->width - offx, obj->width);
+ int64_t comp_h = FFMIN((int64_t)haystack->height - offy, obj->height);
+
+ if (offx >= haystack->width || offy >= haystack->height || comp_w <= 0 || comp_h <= 0)
+ return 1.0;
+
+ for(y = 0; y < comp_h; y++) {
+ for(x = 0; x < comp_w; x++) {
int o_v = odat[x];
int h_v = hdat[x];
o_sum_v += o_v;
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-13 23:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-13 23:00 [FFmpeg-devel] [PR] avfilter/vf_find_rect: fix missing bounds checking in frame compare() function (PR #21456) Timo Rothenpieler via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git