From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 035D64E28C for ; Sat, 17 Jan 2026 03:41:31 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'JgCz1xsO7GQyw1EHm7bNNcks29hcgnJjfOMwrrZgZ4U=', expected b'UozZrbAHQsJuz5o5DqixgzYt1nBAWakw4PYKtakkirg=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768621273; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=JgCz1xsO7GQyw1EHm7bNNcks29hcgnJjfOMwrrZgZ4U=; b=bpMZxNK5BF+eWJFSU7pJ38Ban9sB/K/6841s4D83DD2QkOxofGZ37qWRLrfl5mrfAo2E3 XUtfPt5QXuqnGkbVEAHNombe6y5Kvr+OabPJgy6pO+8kihlVRAO2nD/Bm7ia6n6dCo0mTKc K3kMMalLQOo1hZG/+8t+WLp+z720joSM16omlTdZ8rVoa+kgZgBZ9pBt14DwpoWo8V3Fp8U m0zcovOfSS0cfGWyq4/bc6O/uKZ2ro2EFz9HGmyuPdmAqGOPAnrWeAF8wmOkqMRbozK9vZE jGICkf+oL5ahqrzQjdiSHnuC/LL8so0n1iMImr1g3NJEjOrY54RSRuaallZg== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 1C81A690E60; Sat, 17 Jan 2026 05:41:13 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768621251; b=M2twxPhavuX6anHHJSIpEcmggIq+qShpuBwCKjHlGiNWHgsFZfPDjdiBZN+48mR8Wuk3S OCSth4uYcCTBLG5ZB2BGYT3Hi6S53XuNsBw7Q3kuObpe3Vn8Ms0F2BX8cuz4OaMRVEJk5EN UWRK9Fc5VU6fKnn7y6rjP/XtqF8yzs4t9UOseKW4g2MViatcdQeEzJpwZ4XizfKKNr3zpJQ hp9cgEchsaxJVAUOewd1wEP3H9E8V7GcVRKrJWfHZ94wagx4hKxVdf0MDhVp+bf7YCzr5Ux Hex6EDkBVWKAZybzauFKdvxJT0P5PjpYBKwwQvgeBGWZfKGVU9+2O5tce7aA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1768621251; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=EXcIbxZG75M1k3YGh3rf4JNenTdcDqZWbCqIMC8DsZo=; b=t71nB7AKMokFknemN1/Fibd7DCcebTAtDtmhF2aGD0fjwC+cXwEk72KAHEqpRlcerwzpi mKt7w/PjM1o/fZi3zssn6bpt8LjkDVg4saMnAvY37mNbb1fc+JL5CJl97l3IlMK3dmzog+9 aLguTl6C4x8YoIxFd9E0CrWi+87sfW0HQlQ0uWmdFpEja+1dxV2aggEXHSJi7RdxMKfmTcC LCbCPQMpi39JA8j2GCJ+QCN++/ItztTckRI3xomD7gW4w52H5mtuUGsrnt6GeWg7F1AmUEN h5ECzkZk2Yg7GgY3yprDvpGEOBEh45x+BuNYjtBVk4x/lz4Ekiz9FuoEoPlw== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768621240; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=UozZrbAHQsJuz5o5DqixgzYt1nBAWakw4PYKtakkirg=; b=mCLObawdBOYJW803t9CLEvE+UTbVxKv3rnUXtG5R3SeiY3GyyBJvjnGBOSCUBxH8EbCQL 22eVBDyIBaQAE6INE7uU8Mh0FB9j0XZGRaC7AQ7C4SCHd0EWjMAx96r02U78l5FdusGuVDj awXwnjPFXFrCno5k+dHGhBbmzSJl/00KHe9Cn8Imo82zrm4QAmw+dD66IrhZeL3uuVUNEtu w0hZg2JXr54KioVSJz1hj6CPs/irAad3bGwuV808lOObWrQRXTf1J133eFb0f//tjmeaLiS UL63i1xtGMjIjYBpcYNSIn1LEju+LiPMS9fOH6q1KJ96gqd/I9wyCPS2q5NA== Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 99F71690DDA for ; Sat, 17 Jan 2026 05:40:40 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Sat, 17 Jan 2026 03:40:40 -0000 Message-ID: <176862124081.25.8483233398893023072@4457048688e7> Message-ID-Hash: YF7O77ZZCEFBOL7UZKJDW4UOESLVEQQ7 X-Message-ID-Hash: YF7O77ZZCEFBOL7UZKJDW4UOESLVEQQ7 X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] libavfilter/showcwt: fix OOB write for DU/RL position init (PR #21498) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: ruikai via ffmpeg-devel Cc: ruikai Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21498 opened by ruikai URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21498 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21498.patch In config_output() for direction=DU/RL, the position is initialized to s->sono_size, which equals h or w when bar=0. That position is later used as an in-bounds pixel coordinate without clamping in draw(), causing writes past the end of the output planes. Repro: ``` ffmpeg -f lavfi -i sine=frequency=1000:sample_rate=44100 \ -filter_complex "[0:a]showcwt=s=640x512:bar=0:direction=du[v]" \ -map "[v]" -frames:v 1 -f null - ``` AddressSanitizer: `heap-buffer-overflow ... WRITE of size 1` Initialize and wrap the DU/RL position to sono_size - 1 (or 0 when empty), preventing out-of-bounds row/column writes when bar=0 while preserving existing slide behavior. >>From 933c5c48cfa9cd66fd655beb123c3fee1b18ddac Mon Sep 17 00:00:00 2001 From: Ruikai Peng Date: Fri, 16 Jan 2026 22:32:35 -0500 Subject: [PATCH] libavfilter/showcwt: fix OOB write for DU/RL position init In config_output() for direction=DU/RL, the position is initialized to s->sono_size, which equals h or w when bar=0. That position is later used as an in-bounds pixel coordinate without clamping in draw(), causing writes past the end of the output planes. Repro: ffmpeg -f lavfi -i sine=frequency=1000:sample_rate=44100 \ -filter_complex "[0:a]showcwt=s=640x512:bar=0:direction=du[v]" \ -map "[v]" -frames:v 1 -f null - AddressSanitizer: heap-buffer-overflow ... WRITE of size 1 Initialize and wrap the DU/RL position to sono_size - 1 (or 0 when empty), preventing out-of-bounds row/column writes when bar=0 while preserving existing slide behavior. --- libavfilter/avf_showcwt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/avf_showcwt.c b/libavfilter/avf_showcwt.c index 8edf2fb43b..37cbf5514b 100644 --- a/libavfilter/avf_showcwt.c +++ b/libavfilter/avf_showcwt.c @@ -1012,7 +1012,7 @@ static int config_output(AVFilterLink *outlink) break; case DIRECTION_RL: case DIRECTION_DU: - s->pos = s->sono_size; + s->pos = FFMAX(s->sono_size - 1, 0); break; } @@ -1087,7 +1087,7 @@ static int output_frame(AVFilterContext *ctx) case DIRECTION_RL: s->pos--; if (s->pos < 0) { - s->pos = s->sono_size; + s->pos = FFMAX(s->sono_size - 1, 0); s->new_frame = 1; } break; @@ -1101,7 +1101,7 @@ static int output_frame(AVFilterContext *ctx) case DIRECTION_DU: s->pos--; if (s->pos < 0) { - s->pos = s->sono_size; + s->pos = FFMAX(s->sono_size - 1, 0); s->new_frame = 1; } break; @@ -1115,7 +1115,7 @@ static int output_frame(AVFilterContext *ctx) break; case DIRECTION_RL: case DIRECTION_DU: - s->pos = s->sono_size; + s->pos = FFMAX(s->sono_size - 1, 0); break; } break; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org