From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 947394E5D1
	for <ffmpegdev@gitmailbox.com>; Sun, 25 Jan 2026 02:59:58 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'PfypKXGQjWMG2si00ppCf8LLWQ7ti8mzbSFpuaFVNHI=', expected 
   b'FNrT3hXAgJa+0/D6UrnJL0yblVZV6XpQjPeK5qo15g8=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1769309983; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=PfypKXGQjWMG2si00ppCf8LLWQ7ti8mzbSFpuaFVNHI=;
 b=QKHGSP6n98xcPPkxNYmycuFJjROKAe1o5wvfpi3R22L8xKEZqZ+CKv1JTmPryc/kc0BXU
 voqA1KufT0hPb5WLIcD7dMKxnxvtjcSgyGHEVE4a6+6+xNCwru3LmLVXpIdIbtrRHxmFWRr
 LsChi9teksG315gBL7TRZsebKKfH2CWtuWSie5Hm5BT2cijzF26jHDjTid/ugV01S4ajhGP
 asdtShJRyyfmG2o6hBClu0D04BOqPm4hW1eyw7TB0ysuoQT6Si+WD9zCQtS+mT2yrXkfZU2
 6iuS33AnrMOZNJy6NJ+OeKpyR0SosG57c98FvWMTud5+Lb150n5c7AinJA2A==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 63463690F8C;
	Sun, 25 Jan 2026 04:59:43 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1769309969;
 b=SKAsowDTv2/Yg3BvxHmi2o53N8guh0vObAzwvo7yiOdC3iQzwgs6dpUnhKw9wruRYh5Km
 4cbKuvu+WOro+JtyLXmJN7GcnYtF5vs3tf5TnzKLiyu54ir7/kYVVHs3NKHuPcsGUj1fWAF
 2nv6Mg1QYvvybdUFrJIKJ3/Qd6uLiRij1eYkaCJXec99v2Nc5g0zyDkzwsW6BMrWGF36iOV
 NKEh19KqErB8Xlf2XYv56DUOnV3fZvx+OYwSFLZv+T0RW5pW4OSmIxtTeMsDmbZ7XH8Tcnp
 XpvJ1cUyMfuTOtlThIoQHsurroBZJqOXTRC1ELEV2UDRRb1UadjcqFMtJPUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1769309969; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=WVAxgPgm8BmZnuD+VJnh/znTKk7AITugDljlI0emB1I=;
 b=qp02HSH7tGITLjlsLeLKAqZ5u3qn0TKxzej5VlMSb3exGOXEQjWTpi1P+PTlyFu4mpa0/
 4BK3D+4CrZ9Ncbls62QEBAfkfjT4iVq/Sz9l68wdt8MNafv8g8TWptBePtPy0HwAvvVbUGa
 CtekafPJGS+n6a0wFDi2a21y2hJtsgilrf1k6qFF6uWOSHGgBClilYmfhv2ptb6c141Smgd
 nTjr66SYQ+45Nik970MgkaEZ2Hrrooh866GFRgksrlMuy4X8+Ph4Kw6tileRccS4EojZkbn
 MMdK0optF6GYzayofZ9+EDZdIoEunxJTdadDqwDrYubZlEDvpl9rsqquFAAg==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1769309960; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=FNrT3hXAgJa+0/D6UrnJL0yblVZV6XpQjPeK5qo15g8=;
 b=wRuXZpz4r23B8udwV4ugqLPCwcvIStCjesU7rkfbsKVgEOs5fShfHefbAlTrOJRxpA2vP
 1Kj+4D0S12rsjeZBzyWQwzpmHYqj+5qmmYvIC5l8XGYTOQPgYKl7AUsWVCKjwfSiVpx4Yq4
 Moe9dwRCGoii7Y6V7A6NRXci/9EOQozXa83PqGlTf6OE53LNIt96ZhE16STzL2rkh0fZM+K
 XASgAquQ3kMveMO9+zGgVkJa5/A87yopYjj8kilg682jK4WMF1YXR/PQHnIwj09ojkk6/Vy
 s24oEkL9Lh1Tzuze/WbzzCxRgWJ0Kd9TBVVLRKwQCV8qPtfPibexXM/TeFUQ==
Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id E3BDC690F00
	for <ffmpeg-devel@ffmpeg.org>; Sun, 25 Jan 2026 04:59:19 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 25 Jan 2026 02:59:18 -0000
Message-ID: <176930996009.25.1425027762134729195@4457048688e7>
Message-ID-Hash: 32BIX2M6J6KAXSAD5AVEOZXOOACM5OTB
X-Message-ID-Hash: 32BIX2M6J6KAXSAD5AVEOZXOOACM5OTB
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] lavf/bwdif: fix heap-buffer-overflow with small height
 videos (PR #21574)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/32BIX2M6J6KAXSAD5AVEOZXOOACM5OTB/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176930996009.25.1425027762134729195@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: Jun Zhao via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: Jun Zhao <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176930996009.25.1425027762134729195@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21574 opened by Jun Zhao (mypopydev)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574.patch

Reproduce:
  ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -

filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
For small height videos (h <= 4), this causes heap-buffer-overflow.
Consolidate boundary checks before filter_intra. Fall back to filter_edge
for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge
calls for both YADIF_FIELD_END and normal paths.

Test file: 160x4 gray16 JPEG
https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15

fix #21570

Signed-off-by: Jun Zhao <barryjzhao@tencent.com>


>>From 2fb2658515f7fb0d47ca4710f2ebd672934497c0 Mon Sep 17 00:00:00 2001
From: Jun Zhao <barryjzhao@tencent.com>
Date: Sun, 25 Jan 2026 10:31:48 +0800
Subject: [PATCH] lavf/bwdif: fix heap-buffer-overflow with small height videos

Reproduce:
  ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -

filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
For small height videos (h <= 4), this causes heap-buffer-overflow.
Consolidate boundary checks before filter_intra. Fall back to filter_edge
for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge
calls for both YADIF_FIELD_END and normal paths.

Test file: 160x4 gray16 JPEG
https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15

fix #21570

Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
---
 libavfilter/vf_bwdif.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c
index d49f3f66d6..4780b98508 100644
--- a/libavfilter/vf_bwdif.c
+++ b/libavfilter/vf_bwdif.c
@@ -76,19 +76,21 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
             uint8_t *cur  = &yadif->cur ->data[td->plane][y * linesize];
             uint8_t *next = &yadif->next->data[td->plane][y * linesize];
             uint8_t *dst  = &td->frame->data[td->plane][y * td->frame->linesize[td->plane]];
-            if (yadif->current_field == YADIF_FIELD_END) {
-                s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs,
-                                y > (df - 1) ? -refs : refs,
-                                (y + 3*df) < td->h ? 3 * refs : -refs,
-                                y > (3*df - 1) ? -3 * refs : refs,
-                                td->parity ^ td->tff, clip_max);
-            } else if ((y < 4) || ((y + 5) > td->h)) {
+            int is_edge = (y < 4) || ((y + 5) > td->h);
+
+            if (is_edge) {
                 s->dsp.filter_edge(dst, prev, cur, next, td->w,
                                (y + df) < td->h ? refs : -refs,
                                y > (df - 1) ? -refs : refs,
                                refs << 1, -(refs << 1),
                                td->parity ^ td->tff, clip_max,
                                (y < 2) || ((y + 3) > td->h) ? 0 : 1);
+            } else if (yadif->current_field == YADIF_FIELD_END) {
+                s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs,
+                                y > (df - 1) ? -refs : refs,
+                                (y + 3*df) < td->h ? 3 * refs : -refs,
+                                y > (3*df - 1) ? -3 * refs : refs,
+                                td->parity ^ td->tff, clip_max);
             } else if (s->dsp.filter_line3 && y + 2 < slice_end && y + 6 < td->h) {
                 s->dsp.filter_line3(dst, td->frame->linesize[td->plane],
                                 prev, cur, next, linesize, td->w,
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org