From: Jun Zhao via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: Jun Zhao <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] lavf/bwdif: fix heap-buffer-overflow with small height videos (PR #21574)
Date: Sun, 25 Jan 2026 02:59:18 -0000
Message-ID: <176930996009.25.1425027762134729195@4457048688e7> (raw)
PR #21574 opened by Jun Zhao (mypopydev)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574.patch
Reproduce:
ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -
filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
For small height videos (h <= 4), this causes heap-buffer-overflow.
Consolidate boundary checks before filter_intra. Fall back to filter_edge
for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge
calls for both YADIF_FIELD_END and normal paths.
Test file: 160x4 gray16 JPEG
https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15
fix #21570
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
>From 2fb2658515f7fb0d47ca4710f2ebd672934497c0 Mon Sep 17 00:00:00 2001
From: Jun Zhao <barryjzhao@tencent.com>
Date: Sun, 25 Jan 2026 10:31:48 +0800
Subject: [PATCH] lavf/bwdif: fix heap-buffer-overflow with small height videos
Reproduce:
ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -
filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
For small height videos (h <= 4), this causes heap-buffer-overflow.
Consolidate boundary checks before filter_intra. Fall back to filter_edge
for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge
calls for both YADIF_FIELD_END and normal paths.
Test file: 160x4 gray16 JPEG
https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15
fix #21570
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
---
libavfilter/vf_bwdif.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c
index d49f3f66d6..4780b98508 100644
--- a/libavfilter/vf_bwdif.c
+++ b/libavfilter/vf_bwdif.c
@@ -76,19 +76,21 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
uint8_t *cur = &yadif->cur ->data[td->plane][y * linesize];
uint8_t *next = &yadif->next->data[td->plane][y * linesize];
uint8_t *dst = &td->frame->data[td->plane][y * td->frame->linesize[td->plane]];
- if (yadif->current_field == YADIF_FIELD_END) {
- s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs,
- y > (df - 1) ? -refs : refs,
- (y + 3*df) < td->h ? 3 * refs : -refs,
- y > (3*df - 1) ? -3 * refs : refs,
- td->parity ^ td->tff, clip_max);
- } else if ((y < 4) || ((y + 5) > td->h)) {
+ int is_edge = (y < 4) || ((y + 5) > td->h);
+
+ if (is_edge) {
s->dsp.filter_edge(dst, prev, cur, next, td->w,
(y + df) < td->h ? refs : -refs,
y > (df - 1) ? -refs : refs,
refs << 1, -(refs << 1),
td->parity ^ td->tff, clip_max,
(y < 2) || ((y + 3) > td->h) ? 0 : 1);
+ } else if (yadif->current_field == YADIF_FIELD_END) {
+ s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs,
+ y > (df - 1) ? -refs : refs,
+ (y + 3*df) < td->h ? 3 * refs : -refs,
+ y > (3*df - 1) ? -3 * refs : refs,
+ td->parity ^ td->tff, clip_max);
} else if (s->dsp.filter_line3 && y + 2 < slice_end && y + 6 < td->h) {
s->dsp.filter_line3(dst, td->frame->linesize[td->plane],
prev, cur, next, linesize, td->w,
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
next reply other threads:[~2026-01-25 2:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-25 2:59 Jun Zhao via ffmpeg-devel [this message]
2026-02-17 22:21 ` [FFmpeg-devel] " Thomas Mundt via ffmpeg-devel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=176930996009.25.1425027762134729195@4457048688e7 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git