* [FFmpeg-devel] [PR] ff-tmp-hevc-windows (PR #22268)
@ 2026-02-23 21:00 michaelni via ffmpeg-devel
0 siblings, 0 replies; only message in thread
From: michaelni via ffmpeg-devel @ 2026-02-23 21:00 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: michaelni
PR #22268 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22268
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22268.patch
>From a0c63363fef06d46459f2c073b1ab3949a9e1d32 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 22 Feb 2026 21:50:37 +0100
Subject: [PATCH 1/2] avcodec/hevc/ps: Factor window reading out
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevc/ps.c | 49 ++++++++++++++++++++++++--------------------
libavcodec/hevc/ps.h | 5 +----
2 files changed, 28 insertions(+), 26 deletions(-)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c
index 46b38564d5..3606e9c29f 100644
--- a/libavcodec/hevc/ps.c
+++ b/libavcodec/hevc/ps.c
@@ -62,6 +62,22 @@ static const uint8_t hevc_sub_height_c[] = {
1, 2, 1, 1
};
+static int read_window(HEVCWindow *window, GetBitContext *gb, int chroma_format_idc, int w, int h)
+{
+ int64_t vert_mult = hevc_sub_height_c[chroma_format_idc];
+ int64_t horiz_mult = hevc_sub_width_c [chroma_format_idc];
+ int64_t left = get_ue_golomb_long(gb) * horiz_mult;
+ int64_t right = get_ue_golomb_long(gb) * horiz_mult;
+ int64_t top = get_ue_golomb_long(gb) * vert_mult;
+ int64_t bottom = get_ue_golomb_long(gb) * vert_mult;
+
+ window->left_offset = left;
+ window->right_offset = right;
+ window->top_offset = top;
+ window->bottom_offset = bottom;
+ return 0;
+}
+
static void remove_sps(HEVCParamSets *s, int id)
{
int i;
@@ -702,12 +718,9 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps
}
if (get_bits1(gb) /* conformance_window_vps_flag */) {
- int vert_mult = hevc_sub_height_c[vps->rep_format.chroma_format_idc];
- int horiz_mult = hevc_sub_width_c[vps->rep_format.chroma_format_idc];
- vps->rep_format.conf_win_left_offset = get_ue_golomb(gb) * horiz_mult;
- vps->rep_format.conf_win_right_offset = get_ue_golomb(gb) * horiz_mult;
- vps->rep_format.conf_win_top_offset = get_ue_golomb(gb) * vert_mult;
- vps->rep_format.conf_win_bottom_offset = get_ue_golomb(gb) * vert_mult;
+ int ret = read_window(&vps->rep_format.conf_win, gb, vps->rep_format.chroma_format_idc, vps->rep_format.pic_width_in_luma_samples, vps->rep_format.pic_height_in_luma_samples);
+ if (ret < 0)
+ return ret;
}
vps->max_one_active_ref_layer = get_bits1(gb);
@@ -962,12 +975,7 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx,
vui->default_display_window_flag = get_bits1(gb);
if (vui->default_display_window_flag) {
- int vert_mult = hevc_sub_height_c[sps->chroma_format_idc];
- int horiz_mult = hevc_sub_width_c[sps->chroma_format_idc];
- vui->def_disp_win.left_offset = get_ue_golomb_long(gb) * horiz_mult;
- vui->def_disp_win.right_offset = get_ue_golomb_long(gb) * horiz_mult;
- vui->def_disp_win.top_offset = get_ue_golomb_long(gb) * vert_mult;
- vui->def_disp_win.bottom_offset = get_ue_golomb_long(gb) * vert_mult;
+ read_window(&vui->def_disp_win, gb, sps->chroma_format_idc, sps->width, sps->height);
if (apply_defdispwin &&
avctx->flags2 & AV_CODEC_FLAG2_IGNORE_CROP) {
@@ -1281,10 +1289,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->width = rf->pic_width_in_luma_samples;
sps->height = rf->pic_height_in_luma_samples;
- sps->pic_conf_win.left_offset = rf->conf_win_left_offset;
- sps->pic_conf_win.right_offset = rf->conf_win_right_offset;
- sps->pic_conf_win.top_offset = rf->conf_win_top_offset;
- sps->pic_conf_win.bottom_offset = rf->conf_win_bottom_offset;
+ sps->pic_conf_win.left_offset = rf->conf_win.left_offset;
+ sps->pic_conf_win.right_offset = rf->conf_win.right_offset;
+ sps->pic_conf_win.top_offset = rf->conf_win.top_offset;
+ sps->pic_conf_win.bottom_offset = rf->conf_win.bottom_offset;
} else {
sps->chroma_format_idc = get_ue_golomb_long(gb);
@@ -1307,12 +1315,9 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->conformance_window = get_bits1(gb);
if (sps->conformance_window) {
- int vert_mult = hevc_sub_height_c[sps->chroma_format_idc];
- int horiz_mult = hevc_sub_width_c[sps->chroma_format_idc];
- sps->pic_conf_win.left_offset = get_ue_golomb_long(gb) * horiz_mult;
- sps->pic_conf_win.right_offset = get_ue_golomb_long(gb) * horiz_mult;
- sps->pic_conf_win.top_offset = get_ue_golomb_long(gb) * vert_mult;
- sps->pic_conf_win.bottom_offset = get_ue_golomb_long(gb) * vert_mult;
+ ret = read_window(&sps->pic_conf_win, gb, sps->chroma_format_idc, sps->width, sps->height);
+ if (ret < 0)
+ return ret;
if (avctx->flags2 & AV_CODEC_FLAG2_IGNORE_CROP) {
av_log(avctx, AV_LOG_DEBUG,
diff --git a/libavcodec/hevc/ps.h b/libavcodec/hevc/ps.h
index d620887b8e..f5c5f81a6e 100644
--- a/libavcodec/hevc/ps.h
+++ b/libavcodec/hevc/ps.h
@@ -162,10 +162,7 @@ typedef struct RepFormat {
uint8_t separate_colour_plane_flag;
uint8_t bit_depth_luma; ///< bit_depth_vps_luma_minus8 + 8
uint8_t bit_depth_chroma; ///< bit_depth_vps_chroma_minus8 + 8
- uint16_t conf_win_left_offset;
- uint16_t conf_win_right_offset;
- uint16_t conf_win_top_offset;
- uint16_t conf_win_bottom_offset;
+ HEVCWindow conf_win;
} RepFormat;
typedef struct HEVCVPS {
--
2.52.0
>From 50f997d32fbd6cc9a61121ca0c1991f270bcb79d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 22 Feb 2026 21:51:01 +0100
Subject: [PATCH 2/2] avcodec/hevc/ps: Check window parameters
Fixes: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int'
Fixes: 484567435/clusterfuzz-testcase-minimized-ffmpeg_dem_HXVS_fuzzer-5628836988649472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevc/ps.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c
index 3606e9c29f..cc32043d12 100644
--- a/libavcodec/hevc/ps.c
+++ b/libavcodec/hevc/ps.c
@@ -71,6 +71,13 @@ static int read_window(HEVCWindow *window, GetBitContext *gb, int chroma_format_
int64_t top = get_ue_golomb_long(gb) * vert_mult;
int64_t bottom = get_ue_golomb_long(gb) * vert_mult;
+ if (left < 0 || right < 0 || top < 0 || bottom < 0 ||
+ w <= left + right ||
+ h <= top + bottom) {
+ memset(window, 0, sizeof(*window));
+ return AVERROR_INVALIDDATA;
+ }
+
window->left_offset = left;
window->right_offset = right;
window->top_offset = top;
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-02-23 21:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-02-23 21:00 [FFmpeg-devel] [PR] ff-tmp-hevc-windows (PR #22268) michaelni via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git