Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: Zhao Zhili via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Disclosure <disclosure@aisle.com>,
	Zhong Li <lizhong1008@gmail.com>,
	Haihao Xiang <haihao.xiang@intel.com>,
	Michael Niedermayer <michael@niedermayer.cc>,
	Zhao Zhili <quinkblack@foxmail.com>
Subject: [FFmpeg-devel] Re: [PATCH] qsv: fix pitch truncation on negative/oversized stride
Date: Tue, 18 Nov 2025 10:39:49 +0800
Message-ID: <tencent_350E39C9C3B5B6AC681603016A9A7F3EAC0A@qq.com> (raw)
In-Reply-To: <20251118012610.1386789-1-haihao.xiang@intel.com>



> On Nov 18, 2025, at 09:26, Xiang, Haihao via ffmpeg-devel <ffmpeg-devel@ffmpeg.org> wrote:
> 
> From: Disclosure <disclosure@aisle.com>
> 
> Reviewed-by: Zhong Li <lizhong1008@gmail.com>
> Reviewed-by: Haihao Xiang <haihao.xiang@intel.com>
> Cc: Michael Niedermayer <michael@niedermayer.cc>
> Signed-off-by: Disclosure <disclosure@aisle.com>
> ---
> libavcodec/qsv.c          |  2 ++
> libavfilter/qsvvpp.c      |  2 ++
> libavutil/hwcontext_qsv.c | 20 ++++++++++++++------
> 3 files changed, 18 insertions(+), 6 deletions(-)
> 
> diff --git a/libavcodec/qsv.c b/libavcodec/qsv.c
> index cd5195a54b..cc67e2110e 100644
> --- a/libavcodec/qsv.c
> +++ b/libavcodec/qsv.c
> @@ -340,6 +340,8 @@ int ff_qsv_map_frame_to_surface(const AVFrame *frame, mfxFrameSurface1 *surface)
>     default:
>         return AVERROR(ENOSYS);
>     }
> +    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
> +	return AVERROR(EINVAL);

linesize[0] < 0 is valid for FFmpeg, although I don’t know whether it can or should be supported at here.

>     surface->Data.PitchLow  = frame->linesize[0];
> 
>     return 0;
> diff --git a/libavfilter/qsvvpp.c b/libavfilter/qsvvpp.c
> index c3685f126c..24e4431f75 100644
> --- a/libavfilter/qsvvpp.c
> +++ b/libavfilter/qsvvpp.c
> @@ -289,6 +289,8 @@ static int map_frame_to_surface(AVFrame *frame, mfxFrameSurface1 *surface)
>     default:
>         return MFX_ERR_UNSUPPORTED;
>     }
> +    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
> +	return AVERROR(EINVAL);
>     surface->Data.Pitch = frame->linesize[0];
> 
>     return 0;
> diff --git a/libavutil/hwcontext_qsv.c b/libavutil/hwcontext_qsv.c
> index b92c9cb0ad..7e33d9c1f8 100644
> --- a/libavutil/hwcontext_qsv.c
> +++ b/libavutil/hwcontext_qsv.c
> @@ -1784,6 +1784,8 @@ static int map_frame_to_surface(const AVFrame *frame, mfxFrameSurface1 *surface)
>     default:
>         return MFX_ERR_UNSUPPORTED;
>     }
> +    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
> +	return AVERROR(EINVAL);
>     surface->Data.Pitch     = frame->linesize[0];
>     surface->Data.TimeStamp = frame->pts;
> 
> @@ -1838,15 +1840,16 @@ static int qsv_transfer_data_from(AVHWFramesContext *ctx, AVFrame *dst,
>     /* According to MSDK spec for mfxframeinfo, "Width must be a multiple of 16.
>      * Height must be a multiple of 16 for progressive frame sequence and a
>      * multiple of 32 otherwise.", so align all frames to 16 before downloading. */
> -    if (dst->height & 15 || dst->linesize[0] & 15) {
> +    if (dst->height & 15 || dst->linesize[0] & 15 ||
> +        dst->linesize[0] <= 0 || dst->linesize[0] > UINT16_MAX) {
>         realigned = 1;
>         if (tmp_frame->format != dst->format ||
> -            tmp_frame->width  != FFALIGN(dst->linesize[0], 16) ||
> +            tmp_frame->width  != FFALIGN(FFABS(dst->linesize[0]), 16) ||
>             tmp_frame->height != FFALIGN(dst->height, 16)) {
>             av_frame_unref(tmp_frame);
> 
>             tmp_frame->format = dst->format;
> -            tmp_frame->width  = FFALIGN(dst->linesize[0], 16);
> +            tmp_frame->width  = FFALIGN(FFABS(dst->linesize[0]), 16);
>             tmp_frame->height = FFALIGN(dst->height, 16);
>             ret = av_frame_get_buffer(tmp_frame, 0);
>             if (ret < 0)
> @@ -1865,7 +1868,9 @@ static int qsv_transfer_data_from(AVHWFramesContext *ctx, AVFrame *dst,
>     }
> 
>     out.Info = in->Info;
> -    map_frame_to_surface(dst_frame, &out);
> +    ret = map_frame_to_surface(dst_frame, &out);
> +    if (ret < 0)
> +	return ret;
> 
>     do {
>         err = MFXVideoVPP_RunFrameVPPAsync(s->session_download, in, &out, NULL, &sync);
> @@ -1922,7 +1927,8 @@ static int qsv_transfer_data_to(AVHWFramesContext *ctx, AVFrame *dst,
>     /* According to MSDK spec for mfxframeinfo, "Width must be a multiple of 16.
>      * Height must be a multiple of 16 for progressive frame sequence and a
>      * multiple of 32 otherwise.", so align all frames to 16 before uploading. */
> -    if (src->height & 15 || src->linesize[0] & 15) {
> +    if (src->height & 15 || src->linesize[0] & 15 ||
> +        src->linesize[0] <= 0 || src->linesize[0] > UINT16_MAX) {
>         realigned = 1;
>         if (tmp_frame->format != src->format ||
>             tmp_frame->width  != FFALIGN(src->width, 16) ||
> @@ -1963,7 +1969,9 @@ static int qsv_transfer_data_to(AVHWFramesContext *ctx, AVFrame *dst,
>     }
> 
>     in.Info = out->Info;
> -    map_frame_to_surface(src_frame, &in);
> +    ret = map_frame_to_surface(src_frame, &in);
> +    if (ret < 0)
> +	return ret;
> 
>     do {
>         err = MFXVideoVPP_RunFrameVPPAsync(s->session_upload, &in, out, NULL, &sync);
> -- 
> 2.43.0
> 
> _______________________________________________
> ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
> To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

      reply	other threads:[~2025-11-18  2:41 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-18  1:26 [FFmpeg-devel] " Xiang, Haihao via ffmpeg-devel
2025-11-18  2:39 ` Zhao Zhili via ffmpeg-devel [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tencent_350E39C9C3B5B6AC681603016A9A7F3EAC0A@qq.com \
    --to=ffmpeg-devel@ffmpeg.org \
    --cc=disclosure@aisle.com \
    --cc=haihao.xiang@intel.com \
    --cc=lizhong1008@gmail.com \
    --cc=michael@niedermayer.cc \
    --cc=quinkblack@foxmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git