From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id E069F4DAB1 for ; Fri, 23 Jan 2026 02:46:21 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'zPxjTS661FgTwY2SWAISUo/ym3ZI5QmT+4GtzZgk4x0=', expected b'gYPXnzXu8MT6yKSGRIFtqBFzAD8GreTPAev0if6wGhc=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1769136370; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=zPxjTS661FgTwY2SWAISUo/ym3ZI5QmT+4GtzZgk4x0=; b=TCo2HyVqVwP39kWtsOk/ws9rkAadeC0NRU7Hip/tSiMsYYo7RaHwcDUIaIZ5EFL2UoUja c3JEa6JSqsrZHDsYXfxeIzudBJQFO7nV1zll/0W1xCvpbJVCzIlP5AfsDThwQaqxAuBnD5J hOnk+m8b+tqgcPhZE8JmYityXV6hszZ2dhkutfuM7c74QCJAoc1i7n6VXBbwlYUFbZbmpDo htdQLbwEoRt4aZU3r4grVOC1fHz4xIR14uPk+1R5JhXrATH55jkcDf97PS6eV+Q+B/0erK6 a6mNl+zZjjYD9JJGWOBneAmIf86+DZw7tB1k6XoMbUPxcQd23hqBXmxaivDA== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 2B7586911DB; Fri, 23 Jan 2026 04:46:10 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1769136352; b=rk6c0gOSCySIr2QR1KG6yMmeuiWTNAkTFJ4O46KcEpakdaruFfABOq0Ftqtm2UoNKxV3r 2Tl6lu7MyE/cNngdZZY9GaLwX+p7T8r83vi1GG+4bvcHtA7Rp79EqEhW3Bxe7gJBV6tvAxw kqwqeF/TbmDARwkqz9mtha+IbMlMVFNbXD/WpqEJiCU3YBIM7Ije7yJOeDsD5olnSHHYcu5 ERJb14AWqRjs/zJ3ABmQfO4hLepm3KOFRdT5zpK+bcfg+Cuf2FCrTRZ2i/eY05zGLRJrq5M eiLjswAFvrQM/t6qOR9XuFyGdAH9rXc740fABtT59LqS5SfXmKFlCjVAdY+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1769136352; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=6853o0ZW4zNMtyn62vzaQwQ16HmKZ+22eZdHmXSeWIM=; b=X3xI8zunfgAFTF0rJu8ANdJdZzjWwPeZbmYyzF5gwjtue/H4hxOHSUrjOBYOO5IIKUzQi 2AqNi9IlbQK9k9TGMdGD2lXpakgF6WP7N9+WFYc0rro9Adevrk/YS25jKsjQ8GCVr8a7pzf eMQGx2syitVDVFJRxDRnZ/qOZZMYpxqkgaMTcP3B0q5W03lNpgNi1Wkw/5tg6ezq0GgZt7A nlQthTcV3XoGUrInM5GX8HRCsqjQEtkJTgQpoeQLSI1chtTdgtgHq9KyA4HG1t8cwya4D6D 0ythj4ycaH2zP+LJOCF741EIQhtrEBHJ0DGJPMu+usUH5sNgviZbSGMSEwdQ== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1769136344; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=gYPXnzXu8MT6yKSGRIFtqBFzAD8GreTPAev0if6wGhc=; b=hPTSmXaihwotmyLWyiuYKqp4wUhhOeVus8qvErLRO+fQe4FGhJPHyJfY2PlOQ8o9Pe0Iw 2wToMw3abUlBWbqLD5Noa9IZRI7mY8dDodPonhuFrvkjcJ2A1rmV+2HH7ndZpxclQGQTEDk g3PwU/PqROM+clKe6pMoE6jLhoiBJgwClMm7zAbVleI8DUD2jKrb1nketTRM1Hf/VEbwQKj PjBQH5FtcqGt4qZJ33e6L6CvithNk25IjpCVYMtDv6g8iHGqQae+mqITgjXLiudou/Uz+In ZguFjDWDpPCAQ+xSKr1isYRCfPvFVEcWyDxIc2EsqnmQdEY+si0JP9ceugOg== Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 9231D6910F6 for ; Fri, 23 Jan 2026 04:45:44 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Fri, 23 Jan 2026 02:45:44 -0000 Message-ID: <176913634474.25.13143480878511079517@4457048688e7> Message-ID-Hash: 6QXS47IGFM2D43LNXQW66AT7IOSCUB77 X-Message-ID-Hash: 6QXS47IGFM2D43LNXQW66AT7IOSCUB77 X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avcodec/vp9: Reallocate on resolution change which does not change tile_cols (PR #21550) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: michaelni via ffmpeg-devel Cc: michaelni Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21550 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21550 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21550.patch Fixes: out of array access on resolution change with slices threads Fixes: VULN-10/poc.ivf Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer >>From bb74d752a1ba32a76157f13d2ddac119084f863f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Jan 2026 00:06:23 +0100 Subject: [PATCH] avcodec/vp9: Reallocate on resolution change which does not change tile_cols Fixes: out of array access on resolution change with slices threads Fixes: VULN-10/poc.ivf Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 715d3b7563..454346532c 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -177,10 +177,12 @@ static int update_size(AVCodecContext *avctx, int w, int h) uint8_t *p; int bytesperpixel = s->bytesperpixel, ret, cols, rows; int lflvl_len, i; + int changed = 0; av_assert0(w > 0 && h > 0); if (!(s->pix_fmt == s->gf_fmt && w == s->w && h == s->h)) { + changed = 1; if ((ret = ff_set_dimensions(avctx, w, h)) < 0) return ret; @@ -266,7 +268,7 @@ static int update_size(AVCodecContext *avctx, int w, int h) rows = (h + 7) >> 3; if (s->intra_pred_data[0] && cols == s->cols && rows == s->rows && s->pix_fmt == s->last_fmt) - return 0; + return changed; s->last_fmt = s->pix_fmt; s->sb_cols = (w + 63) >> 6; @@ -311,9 +313,10 @@ static int update_size(AVCodecContext *avctx, int w, int h) ff_vp9dsp_init(&s->dsp, s->s.h.bpp, avctx->flags & AV_CODEC_FLAG_BITEXACT); ff_videodsp_init(&s->vdsp, s->s.h.bpp); s->last_bpp = s->s.h.bpp; + changed = 1; } - return 0; + return changed; } static int update_block_buffers(AVCodecContext *avctx) @@ -520,6 +523,7 @@ static int decode_frame_header(AVCodecContext *avctx, int c, i, j, k, l, m, n, w, h, max, size2, ret, sharp; int last_invisible; const uint8_t *data2; + int changed; /* general header */ if ((ret = init_get_bits8(&s->gb, data, size)) < 0) { @@ -789,10 +793,10 @@ FF_ENABLE_DEPRECATION_WARNINGS } /* tiling info */ - if ((ret = update_size(avctx, w, h)) < 0) { + if ((changed = update_size(avctx, w, h)) < 0) { av_log(avctx, AV_LOG_ERROR, "Failed to initialize decoder for %dx%d @ %d\n", w, h, s->pix_fmt); - return ret; + return changed; } for (s->s.h.tiling.log2_tile_cols = 0; s->sb_cols > (64 << s->s.h.tiling.log2_tile_cols); @@ -807,7 +811,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } s->s.h.tiling.log2_tile_rows = decode012(&s->gb); s->s.h.tiling.tile_rows = 1 << s->s.h.tiling.log2_tile_rows; - if (s->s.h.tiling.tile_cols != (1 << s->s.h.tiling.log2_tile_cols)) { + if (s->s.h.tiling.tile_cols != (1 << s->s.h.tiling.log2_tile_cols) || changed) { int n_range_coders; VPXRangeCoder *rc; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org