Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
* [FFmpeg-devel] [PATCH] qsv: fix pitch truncation on negative/oversized stride
@ 2025-11-18  1:26 Xiang, Haihao via ffmpeg-devel
  2025-11-18  2:39 ` [FFmpeg-devel] " Zhao Zhili via ffmpeg-devel
  0 siblings, 1 reply; 2+ messages in thread
From: Xiang, Haihao via ffmpeg-devel @ 2025-11-18  1:26 UTC (permalink / raw)
  To: ffmpeg-devel; +Cc: Disclosure, Zhong Li, Haihao Xiang, Michael Niedermayer

From: Disclosure <disclosure@aisle.com>

Reviewed-by: Zhong Li <lizhong1008@gmail.com>
Reviewed-by: Haihao Xiang <haihao.xiang@intel.com>
Cc: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Disclosure <disclosure@aisle.com>
---
 libavcodec/qsv.c          |  2 ++
 libavfilter/qsvvpp.c      |  2 ++
 libavutil/hwcontext_qsv.c | 20 ++++++++++++++------
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/libavcodec/qsv.c b/libavcodec/qsv.c
index cd5195a54b..cc67e2110e 100644
--- a/libavcodec/qsv.c
+++ b/libavcodec/qsv.c
@@ -340,6 +340,8 @@ int ff_qsv_map_frame_to_surface(const AVFrame *frame, mfxFrameSurface1 *surface)
     default:
         return AVERROR(ENOSYS);
     }
+    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
+	return AVERROR(EINVAL);
     surface->Data.PitchLow  = frame->linesize[0];
 
     return 0;
diff --git a/libavfilter/qsvvpp.c b/libavfilter/qsvvpp.c
index c3685f126c..24e4431f75 100644
--- a/libavfilter/qsvvpp.c
+++ b/libavfilter/qsvvpp.c
@@ -289,6 +289,8 @@ static int map_frame_to_surface(AVFrame *frame, mfxFrameSurface1 *surface)
     default:
         return MFX_ERR_UNSUPPORTED;
     }
+    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
+	return AVERROR(EINVAL);
     surface->Data.Pitch = frame->linesize[0];
 
     return 0;
diff --git a/libavutil/hwcontext_qsv.c b/libavutil/hwcontext_qsv.c
index b92c9cb0ad..7e33d9c1f8 100644
--- a/libavutil/hwcontext_qsv.c
+++ b/libavutil/hwcontext_qsv.c
@@ -1784,6 +1784,8 @@ static int map_frame_to_surface(const AVFrame *frame, mfxFrameSurface1 *surface)
     default:
         return MFX_ERR_UNSUPPORTED;
     }
+    if (frame->linesize[0] <= 0 || frame->linesize[0] > UINT16_MAX)
+	return AVERROR(EINVAL);
     surface->Data.Pitch     = frame->linesize[0];
     surface->Data.TimeStamp = frame->pts;
 
@@ -1838,15 +1840,16 @@ static int qsv_transfer_data_from(AVHWFramesContext *ctx, AVFrame *dst,
     /* According to MSDK spec for mfxframeinfo, "Width must be a multiple of 16.
      * Height must be a multiple of 16 for progressive frame sequence and a
      * multiple of 32 otherwise.", so align all frames to 16 before downloading. */
-    if (dst->height & 15 || dst->linesize[0] & 15) {
+    if (dst->height & 15 || dst->linesize[0] & 15 ||
+        dst->linesize[0] <= 0 || dst->linesize[0] > UINT16_MAX) {
         realigned = 1;
         if (tmp_frame->format != dst->format ||
-            tmp_frame->width  != FFALIGN(dst->linesize[0], 16) ||
+            tmp_frame->width  != FFALIGN(FFABS(dst->linesize[0]), 16) ||
             tmp_frame->height != FFALIGN(dst->height, 16)) {
             av_frame_unref(tmp_frame);
 
             tmp_frame->format = dst->format;
-            tmp_frame->width  = FFALIGN(dst->linesize[0], 16);
+            tmp_frame->width  = FFALIGN(FFABS(dst->linesize[0]), 16);
             tmp_frame->height = FFALIGN(dst->height, 16);
             ret = av_frame_get_buffer(tmp_frame, 0);
             if (ret < 0)
@@ -1865,7 +1868,9 @@ static int qsv_transfer_data_from(AVHWFramesContext *ctx, AVFrame *dst,
     }
 
     out.Info = in->Info;
-    map_frame_to_surface(dst_frame, &out);
+    ret = map_frame_to_surface(dst_frame, &out);
+    if (ret < 0)
+	return ret;
 
     do {
         err = MFXVideoVPP_RunFrameVPPAsync(s->session_download, in, &out, NULL, &sync);
@@ -1922,7 +1927,8 @@ static int qsv_transfer_data_to(AVHWFramesContext *ctx, AVFrame *dst,
     /* According to MSDK spec for mfxframeinfo, "Width must be a multiple of 16.
      * Height must be a multiple of 16 for progressive frame sequence and a
      * multiple of 32 otherwise.", so align all frames to 16 before uploading. */
-    if (src->height & 15 || src->linesize[0] & 15) {
+    if (src->height & 15 || src->linesize[0] & 15 ||
+        src->linesize[0] <= 0 || src->linesize[0] > UINT16_MAX) {
         realigned = 1;
         if (tmp_frame->format != src->format ||
             tmp_frame->width  != FFALIGN(src->width, 16) ||
@@ -1963,7 +1969,9 @@ static int qsv_transfer_data_to(AVHWFramesContext *ctx, AVFrame *dst,
     }
 
     in.Info = out->Info;
-    map_frame_to_surface(src_frame, &in);
+    ret = map_frame_to_surface(src_frame, &in);
+    if (ret < 0)
+	return ret;
 
     do {
         err = MFXVideoVPP_RunFrameVPPAsync(s->session_upload, &in, out, NULL, &sync);
-- 
2.43.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-18  2:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-18  1:26 [FFmpeg-devel] [PATCH] qsv: fix pitch truncation on negative/oversized stride Xiang, Haihao via ffmpeg-devel
2025-11-18  2:39 ` [FFmpeg-devel] " Zhao Zhili via ffmpeg-devel

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git