* [FFmpeg-devel] [PR] lavf/bwdif: fix heap-buffer-overflow with small height videos (PR #21574)
@ 2026-01-25 2:59 Jun Zhao via ffmpeg-devel
2026-02-17 22:21 ` [FFmpeg-devel] " Thomas Mundt via ffmpeg-devel
0 siblings, 1 reply; 2+ messages in thread
From: Jun Zhao via ffmpeg-devel @ 2026-01-25 2:59 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Jun Zhao
PR #21574 opened by Jun Zhao (mypopydev)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574.patch
Reproduce:
ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -
filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
For small height videos (h <= 4), this causes heap-buffer-overflow.
Consolidate boundary checks before filter_intra. Fall back to filter_edge
for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge
calls for both YADIF_FIELD_END and normal paths.
Test file: 160x4 gray16 JPEG
https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15
fix #21570
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
>From 2fb2658515f7fb0d47ca4710f2ebd672934497c0 Mon Sep 17 00:00:00 2001
From: Jun Zhao <barryjzhao@tencent.com>
Date: Sun, 25 Jan 2026 10:31:48 +0800
Subject: [PATCH] lavf/bwdif: fix heap-buffer-overflow with small height videos
Reproduce:
ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -
filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
For small height videos (h <= 4), this causes heap-buffer-overflow.
Consolidate boundary checks before filter_intra. Fall back to filter_edge
for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge
calls for both YADIF_FIELD_END and normal paths.
Test file: 160x4 gray16 JPEG
https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15
fix #21570
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
---
libavfilter/vf_bwdif.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c
index d49f3f66d6..4780b98508 100644
--- a/libavfilter/vf_bwdif.c
+++ b/libavfilter/vf_bwdif.c
@@ -76,19 +76,21 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
uint8_t *cur = &yadif->cur ->data[td->plane][y * linesize];
uint8_t *next = &yadif->next->data[td->plane][y * linesize];
uint8_t *dst = &td->frame->data[td->plane][y * td->frame->linesize[td->plane]];
- if (yadif->current_field == YADIF_FIELD_END) {
- s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs,
- y > (df - 1) ? -refs : refs,
- (y + 3*df) < td->h ? 3 * refs : -refs,
- y > (3*df - 1) ? -3 * refs : refs,
- td->parity ^ td->tff, clip_max);
- } else if ((y < 4) || ((y + 5) > td->h)) {
+ int is_edge = (y < 4) || ((y + 5) > td->h);
+
+ if (is_edge) {
s->dsp.filter_edge(dst, prev, cur, next, td->w,
(y + df) < td->h ? refs : -refs,
y > (df - 1) ? -refs : refs,
refs << 1, -(refs << 1),
td->parity ^ td->tff, clip_max,
(y < 2) || ((y + 3) > td->h) ? 0 : 1);
+ } else if (yadif->current_field == YADIF_FIELD_END) {
+ s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ? refs : -refs,
+ y > (df - 1) ? -refs : refs,
+ (y + 3*df) < td->h ? 3 * refs : -refs,
+ y > (3*df - 1) ? -3 * refs : refs,
+ td->parity ^ td->tff, clip_max);
} else if (s->dsp.filter_line3 && y + 2 < slice_end && y + 6 < td->h) {
s->dsp.filter_line3(dst, td->frame->linesize[td->plane],
prev, cur, next, linesize, td->w,
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] 2+ messages in thread* [FFmpeg-devel] Re: [PR] lavf/bwdif: fix heap-buffer-overflow with small height videos (PR #21574)
2026-01-25 2:59 [FFmpeg-devel] [PR] lavf/bwdif: fix heap-buffer-overflow with small height videos (PR #21574) Jun Zhao via ffmpeg-devel
@ 2026-02-17 22:21 ` Thomas Mundt via ffmpeg-devel
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Mundt via ffmpeg-devel @ 2026-02-17 22:21 UTC (permalink / raw)
To: FFmpeg development discussions and patches; +Cc: Jun Zhao, Thomas Mundt
Jun Zhao via ffmpeg-devel <ffmpeg-devel@ffmpeg.org> schrieb am So., 25.
Jan. 2026, 03:59:
> PR #21574 opened by Jun Zhao (mypopydev)
> URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574
> Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21574.patch
>
> Reproduce:
> ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -
>
> filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
> For small height videos (h <= 4), this causes heap-buffer-overflow.
> Consolidate boundary checks before filter_intra. Fall back to filter_edge
> for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge
> calls for both YADIF_FIELD_END and normal paths.
>
> Test file: 160x4 gray16 JPEG
> https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15
>
> fix #21570
>
> Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
>
>
> >From 2fb2658515f7fb0d47ca4710f2ebd672934497c0 Mon Sep 17 00:00:00 2001
> From: Jun Zhao <barryjzhao@tencent.com>
> Date: Sun, 25 Jan 2026 10:31:48 +0800
> Subject: [PATCH] lavf/bwdif: fix heap-buffer-overflow with small height
> videos
>
> Reproduce:
> ffmpeg -i /tmp/bwdif_test_input_160x4_gray16.jpg -vf "bwdif" -f null -
>
> filter_intra accesses rows 3 lines away via cur[mrefs3] and cur[prefs3].
> For small height videos (h <= 4), this causes heap-buffer-overflow.
> Consolidate boundary checks before filter_intra. Fall back to filter_edge
> for edge cases (y < 4 or y + 5 > td->h), avoiding duplicate filter_edge
> calls for both YADIF_FIELD_END and normal paths.
>
> Test file: 160x4 gray16 JPEG
> https://code.ffmpeg.org/attachments/db2ace24-bc00-4af6-a53a-5df6b0d51b15
>
> fix #21570
>
> Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
> ---
> libavfilter/vf_bwdif.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c
> index d49f3f66d6..4780b98508 100644
> --- a/libavfilter/vf_bwdif.c
> +++ b/libavfilter/vf_bwdif.c
> @@ -76,19 +76,21 @@ static int filter_slice(AVFilterContext *ctx, void
> *arg, int jobnr, int nb_jobs)
> uint8_t *cur = &yadif->cur ->data[td->plane][y * linesize];
> uint8_t *next = &yadif->next->data[td->plane][y * linesize];
> uint8_t *dst = &td->frame->data[td->plane][y *
> td->frame->linesize[td->plane]];
> - if (yadif->current_field == YADIF_FIELD_END) {
> - s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ?
> refs : -refs,
> - y > (df - 1) ? -refs : refs,
> - (y + 3*df) < td->h ? 3 * refs : -refs,
> - y > (3*df - 1) ? -3 * refs : refs,
> - td->parity ^ td->tff, clip_max);
> - } else if ((y < 4) || ((y + 5) > td->h)) {
> + int is_edge = (y < 4) || ((y + 5) > td->h);
> +
> + if (is_edge) {
> s->dsp.filter_edge(dst, prev, cur, next, td->w,
> (y + df) < td->h ? refs : -refs,
> y > (df - 1) ? -refs : refs,
> refs << 1, -(refs << 1),
> td->parity ^ td->tff, clip_max,
> (y < 2) || ((y + 3) > td->h) ? 0 : 1);
> + } else if (yadif->current_field == YADIF_FIELD_END) {
> + s->dsp.filter_intra(dst, cur, td->w, (y + df) < td->h ?
> refs : -refs,
> + y > (df - 1) ? -refs : refs,
> + (y + 3*df) < td->h ? 3 * refs : -refs,
> + y > (3*df - 1) ? -3 * refs : refs,
> + td->parity ^ td->tff, clip_max);
> } else if (s->dsp.filter_line3 && y + 2 < slice_end && y + 6
> < td->h) {
> s->dsp.filter_line3(dst, td->frame->linesize[td->plane],
> prev, cur, next, linesize, td->w,
> --
> 2.52.0
>
>
> LGTM.
Thanks, Thomas
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-17 22:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-25 2:59 [FFmpeg-devel] [PR] lavf/bwdif: fix heap-buffer-overflow with small height videos (PR #21574) Jun Zhao via ffmpeg-devel
2026-02-17 22:21 ` [FFmpeg-devel] " Thomas Mundt via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git