From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 235374D37C
	for <ffmpegdev@gitmailbox.com>; Tue, 18 Nov 2025 01:28:31 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'2Rr3WwrTMH0W3nhLFBPJO+/alLk4w+MGcgTo9y3/Sqs=', expected 
   b'627qxy4pEtQk+8Flh5o+N0FmZcdRNQUQeHBJqx/wuxo=')) header.d=intel.com 
   header.i=@intel.com header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1763429296; h=to : date :
 message-id : mime-version : reply-to : subject : list-id :
 list-archive : list-archive : list-help : list-owner : list-post :
 list-subscribe : list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=2Rr3WwrTMH0W3nhLFBPJO+/alLk4w+MGcgTo9y3/Sqs=;
 b=dBUO/GwyistkjsZzIBZbC2W5tywgnZ5SgKtfxJsAFwUVvTP9HWrdKf19xamSMirK4ab7r
 oyZMqrNzkuafkU0tcylceqh8FnLTUfBxHmkhxw7hP2f51MI2Z/uim7bcorzzEnAekaoPyZJ
 RYrYDcrPBTtNWMQk7bcRiBvKgDwNcHqd3tIqYZQazKvEE+H/9K5nsUj0xhGNmp1yPod8vUA
 9exhRpO9R55BkLu0jiU9Y0i7qKtQ5QppVDxNUfsHje4SmuwJuGmAVhsmQhmYGYZXILrQhFh
 37M1ZMpczLg0AYg5cSgvUpHC67lohPZeQeMPKkkX7Nh/CThEVd82kgXAF12Q==
Received: from [172.19.0.2] (unknown [172.19.0.2])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 78E5368FF77;
	Tue, 18 Nov 2025 03:28:16 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1763429270;
 b=cQpntKMKmdLIu8hNJXSLIiJDPZ0v1aXreSuqlxTPgWGeP7K2Q5v3BpiU/GDYVvNmwlouL
 Qew7gkknYxMO1n6BJt64l7G/5QxTjEzk1O4ob4OM9L+J4HT2/FPKnGA9CNPeXZuxP/Dfl4f
 Jph09Kc+hllxv0CbvZGSvsTED5KZitZCvkTHEXlh58dgzN/kef4+HW988ZXRmTPeqxiBVUE
 z6NWowvviOOWMU75D6UDoH5jGUWqDTxSst54qPjEQZHuiiiEdqom3xTnZS/8x6wAIOAfMgs
 dx/M8PLJUhTseSrOGnohlUKdr/JSs8aBlHuJ539lP+/KuqdKuC9JEC/rjXrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1763429270; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=fGTs0jEoWEvFUs73weYXEjPfvPL98QGOMQHEzfnXMkU=;
 b=Q6c9wao8125ZE/Ak+D3SxMLmvCngUDWD80ln3o64KJN7UT01eHwR4AHBrRVg4vBB8RKz5
 JbqWtTK6u4LwMwpI1oGxHBfeaBRwD/YS5sHMJUetP4xw4c0McFuzsVCOOLKsS1WS5NvQacT
 j1m4D5p9ltbEDr8c6Nq86zYpFnKYOS7wqLFu15xQ0SPF/KSBBqMiGJeuTXsYeFcbiZhqVQV
 karsWWqDJb1H5ZKjr0kJH8YsqXB8Nd+xvRyUFHGgXXHPwYnrV+M93Z53ODhU58OHtyuYQHZ
 92kmnnJHlw1rK98eiKVxY/DvU3BZVfB0ETacowPF2IP7R8HtNPzd5Qm3zG5Q==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=intel.com header.i=@intel.com;
 arc=none;
 dmarc=pass header.from=intel.com policy.dmarc=none
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=intel.com header.i=@intel.com;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=intel.com policy.dmarc=none
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 2FABF68FE8D
	for <ffmpeg-devel@ffmpeg.org>; Tue, 18 Nov 2025 03:27:34 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1763429260; x=1794965260;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=627qxy4pEtQk+8Flh5o+N0FmZcdRNQUQeHBJqx/wuxo=;
  b=Nk68GKdNjmeTqr2XXrYFKz3NztlWGCxGW+/lGS8QIqW1TIEunbeaflZJ
   FDh3Y2iB6gIK0NmWX9+A0AqdQBCWuLM+Rg3Ac71Jl5szdGffxgoykLdqN
   wSwV0zti8lTPIu7DNZKbQOwCs2Zkbf5pW19BeK/HAw5X1c3Vc5Twik8KG
   6FIAl0KGdfVWrrIdun2FAahqTe2qscpEg5UBVi0VmH8g31IQSNzKTKmkj
   u7+vgv8Dm16eJ1gzUWsWpyKR1EGaCQOevw/8LzL8RuMBmn/EJthnbpOih
   YuD7K7drOzc7V6xAikFRrGTyc1ZEK4MBz+RbQ9tgPaMsDvd1q0Kowb5bn
   Q==;
X-CSE-ConnectionGUID: rfHYE0uxQdOJUaj2mzly4A==
X-CSE-MsgGUID: DX7/kYWJTZucT4q7qzz5Qw==
X-IronPort-AV: E=McAfee;i="6800,10657,11616"; a="65323838"
X-IronPort-AV: E=Sophos;i="6.19,313,1754982000";
   d="scan'208";a="65323838"
Received: from orviesa004.jf.intel.com ([10.64.159.144])
  by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 17 Nov 2025 17:27:32 -0800
X-CSE-ConnectionGUID: XUCjeyBaTuShrMWpOQWT6g==
X-CSE-MsgGUID: hb4gszJHTeqKJ2mCY9UplQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.19,313,1754982000";
   d="scan'208";a="195083306"
Received: from xhh-dg264.sh.intel.com ([10.238.2.76])
  by orviesa004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 17 Nov 2025 17:27:31 -0800
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 18 Nov 2025 09:26:10 +0800
Message-ID: <20251118012610.1386789-1-haihao.xiang@intel.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Message-ID-Hash: G74NUVCUSC5DMCVNX4DR4KHMIZ7AAFP6
X-Message-ID-Hash: G74NUVCUSC5DMCVNX4DR4KHMIZ7AAFP6
X-MailFrom: SRS0=BxOD=52=intel.com=haihao.xiang@ffmpeg.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] qsv: fix pitch truncation on negative/oversized stride
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/G74NUVCUSC5DMCVNX4DR4KHMIZ7AAFP6/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/20251118012610.1386789-1-haihao.xiang@intel.com/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: "Xiang, Haihao via ffmpeg-devel" <ffmpeg-devel@ffmpeg.org>
Cc: Disclosure <disclosure@aisle.com>, Zhong Li <lizhong1008@gmail.com>,
 Haihao Xiang <haihao.xiang@intel.com>,
 Michael Niedermayer <michael@niedermayer.cc>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20251118012610.1386789-1-haihao.xiang@intel.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

From: Disclosure <disclosure@aisle.com>

Reviewed-by: Zhong Li <lizhong1008@gmail.com>
Reviewed-by: Haihao Xiang <haihao.xiang@intel.com>
Cc: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Disclosure <disclosure@aisle.com>
---
 libavcodec/qsv.c          |  2 ++
 libavfilter/qsvvpp.c      |  2 ++
 libavutil/hwcontext_qsv.c | 20 ++++++++++++++------
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/libavcodec/qsv.c b/libavcodec/qsv.c
index cd5195a54b..cc67e2110e 100644
--- a/libavcodec/qsv.c
+++ b/libavcodec/qsv.c
@@ -340,6 +340,8 @@ int ff_qsv_map_frame_to_surface(const AVFrame *frame, mfxFrameSurface1 *surface)
     default:
         return AVERROR(ENOSYS);
     }
+    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
+	return AVERROR(EINVAL);
     surface->Data.PitchLow  = frame->linesize[0];
 
     return 0;
diff --git a/libavfilter/qsvvpp.c b/libavfilter/qsvvpp.c
index c3685f126c..24e4431f75 100644
--- a/libavfilter/qsvvpp.c
+++ b/libavfilter/qsvvpp.c
@@ -289,6 +289,8 @@ static int map_frame_to_surface(AVFrame *frame, mfxFrameSurface1 *surface)
     default:
         return MFX_ERR_UNSUPPORTED;
     }
+    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
+	return AVERROR(EINVAL);
     surface->Data.Pitch = frame->linesize[0];
 
     return 0;
diff --git a/libavutil/hwcontext_qsv.c b/libavutil/hwcontext_qsv.c
index b92c9cb0ad..7e33d9c1f8 100644
--- a/libavutil/hwcontext_qsv.c
+++ b/libavutil/hwcontext_qsv.c
@@ -1784,6 +1784,8 @@ static int map_frame_to_surface(const AVFrame *frame, mfxFrameSurface1 *surface)
     default:
         return MFX_ERR_UNSUPPORTED;
     }
+    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
+	return AVERROR(EINVAL);
     surface->Data.Pitch     = frame->linesize[0];
     surface->Data.TimeStamp = frame->pts;
 
@@ -1838,15 +1840,16 @@ static int qsv_transfer_data_from(AVHWFramesContext *ctx, AVFrame *dst,
     /* According to MSDK spec for mfxframeinfo, "Width must be a multiple of 16.
      * Height must be a multiple of 16 for progressive frame sequence and a
      * multiple of 32 otherwise.", so align all frames to 16 before downloading. */
-    if (dst->height & 15 || dst->linesize[0] & 15) {
+    if (dst->height & 15 || dst->linesize[0] & 15 ||
+        dst->linesize[0] <= 0 || dst->linesize[0] > UINT16_MAX) {
         realigned = 1;
         if (tmp_frame->format != dst->format ||
-            tmp_frame->width  != FFALIGN(dst->linesize[0], 16) ||
+            tmp_frame->width  != FFALIGN(FFABS(dst->linesize[0]), 16) ||
             tmp_frame->height != FFALIGN(dst->height, 16)) {
             av_frame_unref(tmp_frame);
 
             tmp_frame->format = dst->format;
-            tmp_frame->width  = FFALIGN(dst->linesize[0], 16);
+            tmp_frame->width  = FFALIGN(FFABS(dst->linesize[0]), 16);
             tmp_frame->height = FFALIGN(dst->height, 16);
             ret = av_frame_get_buffer(tmp_frame, 0);
             if (ret < 0)
@@ -1865,7 +1868,9 @@ static int qsv_transfer_data_from(AVHWFramesContext *ctx, AVFrame *dst,
     }
 
     out.Info = in->Info;
-    map_frame_to_surface(dst_frame, &out);
+    ret = map_frame_to_surface(dst_frame, &out);
+    if (ret < 0)
+	return ret;
 
     do {
         err = MFXVideoVPP_RunFrameVPPAsync(s->session_download, in, &out, NULL, &sync);
@@ -1922,7 +1927,8 @@ static int qsv_transfer_data_to(AVHWFramesContext *ctx, AVFrame *dst,
     /* According to MSDK spec for mfxframeinfo, "Width must be a multiple of 16.
      * Height must be a multiple of 16 for progressive frame sequence and a
      * multiple of 32 otherwise.", so align all frames to 16 before uploading. */
-    if (src->height & 15 || src->linesize[0] & 15) {
+    if (src->height & 15 || src->linesize[0] & 15 ||
+        src->linesize[0] <= 0 || src->linesize[0] > UINT16_MAX) {
         realigned = 1;
         if (tmp_frame->format != src->format ||
             tmp_frame->width  != FFALIGN(src->width, 16) ||
@@ -1963,7 +1969,9 @@ static int qsv_transfer_data_to(AVHWFramesContext *ctx, AVFrame *dst,
     }
 
     in.Info = out->Info;
-    map_frame_to_surface(src_frame, &in);
+    ret = map_frame_to_surface(src_frame, &in);
+    if (ret < 0)
+	return ret;
 
     do {
         err = MFXVideoVPP_RunFrameVPPAsync(s->session_upload, &in, out, NULL, &sync);
-- 
2.43.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org