From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 208D54E3BB
	for <ffmpegdev@gitmailbox.com>; Wed, 21 Jan 2026 01:48:54 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'8NzyNOmFZwVc8tt/sgmq9xWXYDGRMsJy6icOGBzCWd0=', expected 
   b'IZChOJplN+SGFHYJ0v4UAJ8OSD1o1S7zxiaYMRraboc=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1768960117; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=8NzyNOmFZwVc8tt/sgmq9xWXYDGRMsJy6icOGBzCWd0=;
 b=AaopIi3BxlBtz+05JjBt0B5Nn354E6TN8Uq7ppCTnkVRd2whUt6rGznveGEvoUf/rwOOq
 m4gdW1XXbnp2v/JuiM1OyzosYoJPpcrU7H+DkJFdgGelmcT+KVThHSfCjH6Rrqo8Lnd7y4q
 BXsAoXf9QsraNX0EfAuhjshZXqJMpsKil7KzHAapbnwveCNCpRQ8+bOjSTgUX3b9sPE82zG
 yioT3vAPtTsXN2MSPEVfsSvReKBF9CNDDLnjROx9/jgpXpUraZHuSIYutdN17v/AofZWwWE
 NGrJwXOpTw56oGrUNUSRz7zCPwzYejSdsyz5zadZkiyKnR147h9URmSfka1Q==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 8D845690E55;
	Wed, 21 Jan 2026 03:48:37 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768960093;
 b=ZABE/TRkr8jsF3Xob/YmC7Q7041TVKoUu+qIQKGEXlnYUgdr6V+mT93I5cILs1f96kHDG
 9FJ36ctDyOp1t6UHCe6IRtNUkPqIh+U9D0VyfXTXj0zIKJRJmff6urplVeMfss4e8oYZIJ/
 +O8VyEC2lnzRCVQdtTUbk/M0KNqUtPcEvy89Pfz9HEAOY7a7IwkS7sPyczQewTnKYVOZ2AO
 BgWqRL+zq5+seY01TpE4S1TXUa9d7z9XnKuV51B/3epQNJn1DRrMjt7x3NqUCFm1EVi/RGR
 UA5fyM6ohvAtQ4usbEBAo678hMH/jPne1xbyrJZCdiogwLqkLZc5sK9rMsLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1768960093; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=pgoPgk+KuEK7vL7wwZHXN4R13C6idSF75dwjZHVqHOo=;
 b=GI2y3/Wi7B94e6+IyQd6YoQl9buUJWE91qnbdDhTgAJd3d4pNCkrHruGD3KzCt64qV4Qf
 4JFchehSTWavXOczjK4/bCDI86UlZb2nxld7agrn1Svfxqg1g02F3AfmisYeKwuwuU8zhPQ
 ayyjuhJQ3bC+kxqM2O5csJYI+pSSbnXHc1WVmjgTjUz3XEaMwPEJtXSGsuzu0bX3m/KGzl0
 oObrylMg7j8JiWLo/eIktDl8N3ioqmHX5G/aYrZioyCqVupzGSzUNEGqs/fmVM2elfGnkng
 lPakULAoZJShU02GZTQnKY9m2Eujxu5iswyoHfIoIdgbPQsUnea/oY8h1KIA==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1768960084; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=IZChOJplN+SGFHYJ0v4UAJ8OSD1o1S7zxiaYMRraboc=;
 b=RkLytkG8KcFOHi0C1DhqksXJL5qNumrpqKbK4z1lxSLWvnuRr0BG5R+vpsGJrPKohmGBm
 OvjBPZmCF6MS0/dyaMmEyUOHTDkcoMzaooduzSYMYKRKRpOeAT2UR1nNMnXu8jJPMTsknW+
 gn0EAAf5NGpFK62QhxBVfR29ugBy+HpTvIVIhPKuSAhO39zR3uKvPd87wXAva0z/vuQT9ff
 u69e28KRVPf2nApZj2viXxuVfyEcF4V+CRcjv/HzlfPxHNiq1ytzfiCrWYUW6u45QBRLHmi
 Zq21NqnsSlvHtkZ119stzd5S0QRTxytSOgGOuRWW7NSOwtZZDKrlsGpgXoaA==
Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 458C4690E37
	for <ffmpeg-devel@ffmpeg.org>; Wed, 21 Jan 2026 03:48:04 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 21 Jan 2026 01:48:03 -0000
Message-ID: <176896008444.25.13201353646452502714@4457048688e7>
Message-ID-Hash: AX35VIP2OZDXSRHKKFSJFBPIG5KZF4LO
X-Message-ID-Hash: AX35VIP2OZDXSRHKKFSJFBPIG5KZF4LO
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] libswscale/utils: avoid sizeFactor related overflows (PR
 #21536)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/AX35VIP2OZDXSRHKKFSJFBPIG5KZF4LO/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176896008444.25.13201353646452502714@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: michaelni <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176896008444.25.13201353646452502714@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21536 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21536
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21536.patch

Fixes: multiple integer overflows
Fixes: out of array access

Found-by: Zhenpeng (Leo) Lin from depthfirst


>>From fe2c61e3046a485a898741a152518d6018b7d0e1 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 21 Jan 2026 01:38:42 +0100
Subject: [PATCH 1/2] swscale/utils: Avoid FF_ALLOC_TYPED_ARRAY() and use
 av_malloc_array() directly

Fixes: multiple integer overflows
Fixes: out of array access

Regression since: a408d03ee6eeda98e77301dcdea3bdf40c0d4afc

The PoC modifies filter parameters generally inaccessable to an attacker

Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libswscale/utils.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index 8f8789b24d..846ee21207 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -103,7 +103,8 @@ int ff_shuffle_filter_coefficients(SwsInternal *c, int *filterPos,
         if ((c->srcBpc == 8) && (c->dstBpc <= 14)) {
            int16_t *filterCopy = NULL;
            if (filterSize > 4) {
-               if (!FF_ALLOC_TYPED_ARRAY(filterCopy, dstW * filterSize))
+               filterCopy = av_malloc_array(dstW, filterSize * sizeof(*filterCopy));
+               if (!filterCopy)
                    return AVERROR(ENOMEM);
                memcpy(filterCopy, filter, dstW * filterSize * sizeof(int16_t));
            }
@@ -282,7 +283,8 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos,
         filterSize = FFMIN(filterSize, srcW - 2);
         filterSize = FFMAX(filterSize, 1);
 
-        if (!FF_ALLOC_TYPED_ARRAY(filter, dstW * filterSize))
+        filter = av_malloc_array(dstW, filterSize * sizeof(*filter));
+        if (!filter)
             goto nomem;
         xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x10000LL)>>7);
         for (i = 0; i < dstW; i++) {
@@ -381,7 +383,8 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos,
     if (dstFilter)
         filter2Size += dstFilter->length - 1;
     av_assert0(filter2Size > 0);
-    if (!FF_ALLOCZ_TYPED_ARRAY(filter2, dstW * filter2Size))
+    filter2 = av_malloc_array(dstW, filter2Size * sizeof(*filter2));
+    if (!filter2)
         goto nomem;
     for (i = 0; i < dstW; i++) {
         int j, k;
@@ -549,7 +552,8 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos,
 
     // Note the +1 is for the MMX scaler which reads over the end
     /* align at 16 for AltiVec (needed by hScale_altivec_real) */
-    if (!FF_ALLOCZ_TYPED_ARRAY(*outFilter, *outFilterSize * (dstW + 3)))
+    *outFilter = av_malloc_array(dstW + 3, *outFilterSize * sizeof(**outFilter));
+    if (!outFilter)
         goto nomem;
 
     /* normalize & store in outFilter */
@@ -1716,8 +1720,9 @@ av_cold int ff_sws_init_single_context(SwsContext *sws, SwsFilter *srcFilter,
             goto fail;
 
 #if HAVE_ALTIVEC
-        if (!FF_ALLOC_TYPED_ARRAY(c->vYCoeffsBank, c->vLumFilterSize * sws->dst_h) ||
-            !FF_ALLOC_TYPED_ARRAY(c->vCCoeffsBank, c->vChrFilterSize * c->chrDstH))
+        c->vYCoeffsBank = av_malloc_array(sws->dst_h, c->vLumFilterSize * sizeof(*c->vYCoeffsBank));
+        c->vCCoeffsBank = av_malloc_array(c->chrDstH, c->vChrFilterSize * sizeof(*c->vCCoeffsBank));
+        if (c->vYCoeffsBank == NULL || c->vCCoeffsBank == NULL)
             goto nomem;
 
         for (i = 0; i < c->vLumFilterSize * sws->dst_h; i++) {
-- 
2.52.0


>>From 60bcef52ca42c11b5a51ba1c20f9db26fd0cf910 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 21 Jan 2026 01:38:42 +0100
Subject: [PATCH 2/2] swscale/utils: Sanity check sizeFactor

Fixes: multiple integer overflows
Fixes: out of array access

The PoC modifies filter parameters generally inaccessable to an attacker

Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libswscale/utils.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index 846ee21207..ee4342884a 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -275,6 +275,11 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos,
             sizeFactor = param[0] != SWS_PARAM_DEFAULT ? ceil(2 * param[0]) : 6;
         av_assert0(sizeFactor > 0);
 
+        if (sizeFactor > 50) {
+            ret = AVERROR(EINVAL);
+            goto fail;
+        }
+
         if (xInc <= 1 << 16)
             filterSize = 1 + sizeFactor;    // upscale
         else
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org