From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id B29714E195
	for <ffmpegdev@gitmailbox.com>; Tue, 13 Jan 2026 23:09:18 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'cCXGQfhfn7J4Hf5oVk9ZbAQDJ2nzEPrtvKN0aIrhKbg=', expected 
   b'jDWFvfn55tZSSLVvNBZzyDc0LJy963Tc9MDW9SSL4/U=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1768345397; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=cCXGQfhfn7J4Hf5oVk9ZbAQDJ2nzEPrtvKN0aIrhKbg=;
 b=r+nxCkV48VNcbQCTxsWBFpXE8XpdpiRjbdfmkYDIWnSqTmTGBtkyZi5Twa2WBo9HGEVvj
 EzapwPQ7xfpXrTSIkDMYpUqDdcB9RqJ6HhjJcjOLw2zcVyacyd42awRd8gvjfcYVvOyV+ln
 fXV5PbZUeRIGkRBkpZEx7ZqKRCOOKBAhftSZPprfdiEdHvfsEoRxakW4RkNJnHkre07w4rA
 biQwyBkYZxx9IpYjfTAZJBoCyuYkt2AT2SMUMjx8Ux864DuLttQUx2myND5LsgRD9w65Yry
 m5ENrlN2BK3Qdov0xlHD1hcxVjtl/Q0hC2FZ1dBczgOGkgthmWVYHmPPG1wg==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 4FFC9690F8B;
	Wed, 14 Jan 2026 01:03:17 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768345288;
 b=Ug3kp5iNAhyrXsRs7hHUFii6Sw5uEnZhQGW+WYV1ZlHoDsiPTIsiBUQNMUpmzWcepEgyC
 UjYhMGlr5gRwtCXxxrKOLqbMT+HGgX4T5IsTGilYdz7vxwCVouqVwo9IQ1SMSJZ2vDkuZV3
 1zfti7xSBTZznOITO57iWocQxL6iShAsgy5MUzqgGb///T/nLMRAAEBRBhYL2VT6h1+Tu86
 xN1xhqEaQT86sEN27NdYQh2WRYn4ukNfTRboje/BV8gqWI2ReHPoS0m3ZdawVDbEF8QFF6Y
 hWCWzWh7k2STq2x0+mySuji426+rnIiI/1VtLHAGavyQTQouJHh7yiTsOnrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1768345288; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=/3eZvGIbxRlEOJ2gZPL8tYrzq9RfvkBGuoRDTThUXWQ=;
 b=rPupPjoSYE2lRwDhGapA1h/EHu8fczW/n1mwbA1X0Kx3o6i6IgDsufM93qIGHGvo8xnCe
 RiQnVBu0DVF1jNrm2EN/iLB6dSH5aeseMUUYQjbUBIUXZihFvKtC/zX68kEYrv1od4zik6x
 EKaN1DMS6VLgq1oAfWgu0SkeTsKMwoTw6uGGidvyM8UvZLM66Fz+gaHXtTma2MgrS2ZUqYI
 IknH2vqXEC/uiSJcEVLlFeVr/F2nuREgu634dvxBP5ArOuBKNU9ZBbKW4HPctOWScS0QjeG
 lvWddDA9d3BD67FPi32LjjLc0+dAityHZ8BdVEMKaoDfEakss441txiGQ1LA==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1768345274; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=jDWFvfn55tZSSLVvNBZzyDc0LJy963Tc9MDW9SSL4/U=;
 b=JWvZEnu+a20VTMqz4NFGA/8dGHjPVr5bU/OOLx5tShAWXcTUDekyftVxAKtcph4DkMK08
 GffCXHuwCZQiS8zN9wrNopryq6ezlHhsca4a/fA4oFs30TTgifyeU0DgIuGNHepuB4FPKJJ
 ksQJsXicg7LsKyeeOVOFJtaRcgThmEcFANiZixBc63zO3bunriK3X3g5sThd1TX9riv4q6K
 o8vYX3IgR0OeDILMqWPOE0EeLargsp3Gwc4kv71+C+rhjnIWoMbjl8vHjIBlBp3xZdFpfyK
 LxtRSSJMHuXMpPcVB8ZzfFRJbLvGEnA97s8aO2b8UXAs0o7kN1nXNMffrdVA==
Received: from f7c34508609e (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id BF064690D84
	for <ffmpeg-devel@ffmpeg.org>; Wed, 14 Jan 2026 01:01:14 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 13 Jan 2026 23:00:56 -0000
Message-ID: <176834527506.25.18267697070388951310@4457048688e7>
Message-ID-Hash: 2542DO4T7YQS53B6RVGMTJBDWZGVNUH2
X-Message-ID-Hash: 2542DO4T7YQS53B6RVGMTJBDWZGVNUH2
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avfilter/vf_find_rect: fix missing bounds checking in
 frame compare() function (PR #21456)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/2542DO4T7YQS53B6RVGMTJBDWZGVNUH2/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176834527506.25.18267697070388951310@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: Timo Rothenpieler via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: Timo Rothenpieler <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176834527506.25.18267697070388951310@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21456 opened by Timo Rothenpieler (BtbN)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21456
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21456.patch

There was so far zero bounds checking here.
If the frame that's being searched in is smaller than the object being searched for or shifted around too far using the offset, the function would happily read beyond the frame's bounds.

Rather than checking at filter init time, I opted to add the check right here, since frame sizes might change at runtime for various reasons, so just checking right here to never over/under read seems better to me.

Fixes #YWH-PGM40646-15


>>From 25402bb760f5bee149d0eb0a9a66ca601f3f3702 Mon Sep 17 00:00:00 2001
From: Timo Rothenpieler <timo@rothenpieler.org>
Date: Tue, 13 Jan 2026 23:57:39 +0100
Subject: [PATCH] avfilter/vf_find_rect: fix missing bounds checking in frame
 compare() function

Fixes #YWH-PGM40646-15
---
 libavfilter/vf_find_rect.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c
index b0be1a6f11..8c983dbf12 100644
--- a/libavfilter/vf_find_rect.c
+++ b/libavfilter/vf_find_rect.c
@@ -126,8 +126,14 @@ static float compare(const AVFrame *haystack, const AVFrame *obj, int offx, int
     const uint8_t *hdat = haystack->data[0] + offx + offy * haystack->linesize[0];
     int64_t o_sigma, h_sigma;
 
-    for(y = 0; y < obj->height; y++) {
-        for(x = 0; x < obj->width; x++) {
+    int64_t comp_w = FFMIN((int64_t)haystack->width - offx, obj->width);
+    int64_t comp_h = FFMIN((int64_t)haystack->height - offy, obj->height);
+
+    if (offx >= haystack->width || offy >= haystack->height || comp_w <= 0 || comp_h <= 0)
+        return 1.0;
+
+    for(y = 0; y < comp_h; y++) {
+        for(x = 0; x < comp_w; x++) {
             int o_v = odat[x];
             int h_v = hdat[x];
             o_sum_v += o_v;
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org