This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 38230db7b9 avcodec/vp9: Reallocate on resolution change which does not
change tile_cols
38230db7b9 is described below
commit 38230db7b908af34315cffe848a83989dbe1678e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Jan 23 00:06:23 2026 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Tue Feb 10 01:30:42 2026 +0100
avcodec/vp9: Reallocate on resolution change which does not change tile_cols
Fixes: out of array access on resolution change with slices threads
Fixes: VULN-10/poc.ivf
Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/vp9.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 715d3b7563..454346532c 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -177,10 +177,12 @@ static int update_size(AVCodecContext *avctx, int w, int
h)
uint8_t *p;
int bytesperpixel = s->bytesperpixel, ret, cols, rows;
int lflvl_len, i;
+ int changed = 0;
av_assert0(w > 0 && h > 0);
if (!(s->pix_fmt == s->gf_fmt && w == s->w && h == s->h)) {
+ changed = 1;
if ((ret = ff_set_dimensions(avctx, w, h)) < 0)
return ret;
@@ -266,7 +268,7 @@ static int update_size(AVCodecContext *avctx, int w, int h)
rows = (h + 7) >> 3;
if (s->intra_pred_data[0] && cols == s->cols && rows == s->rows &&
s->pix_fmt == s->last_fmt)
- return 0;
+ return changed;
s->last_fmt = s->pix_fmt;
s->sb_cols = (w + 63) >> 6;
@@ -311,9 +313,10 @@ static int update_size(AVCodecContext *avctx, int w, int h)
ff_vp9dsp_init(&s->dsp, s->s.h.bpp, avctx->flags &
AV_CODEC_FLAG_BITEXACT);
ff_videodsp_init(&s->vdsp, s->s.h.bpp);
s->last_bpp = s->s.h.bpp;
+ changed = 1;
}
- return 0;
+ return changed;
}
static int update_block_buffers(AVCodecContext *avctx)
@@ -520,6 +523,7 @@ static int decode_frame_header(AVCodecContext *avctx,
int c, i, j, k, l, m, n, w, h, max, size2, ret, sharp;
int last_invisible;
const uint8_t *data2;
+ int changed;
/* general header */
if ((ret = init_get_bits8(&s->gb, data, size)) < 0) {
@@ -789,10 +793,10 @@ FF_ENABLE_DEPRECATION_WARNINGS
}
/* tiling info */
- if ((ret = update_size(avctx, w, h)) < 0) {
+ if ((changed = update_size(avctx, w, h)) < 0) {
av_log(avctx, AV_LOG_ERROR, "Failed to initialize decoder for %dx%d @
%d\n",
w, h, s->pix_fmt);
- return ret;
+ return changed;
}
for (s->s.h.tiling.log2_tile_cols = 0;
s->sb_cols > (64 << s->s.h.tiling.log2_tile_cols);
@@ -807,7 +811,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
}
s->s.h.tiling.log2_tile_rows = decode012(&s->gb);
s->s.h.tiling.tile_rows = 1 << s->s.h.tiling.log2_tile_rows;
- if (s->s.h.tiling.tile_cols != (1 << s->s.h.tiling.log2_tile_cols)) {
+ if (s->s.h.tiling.tile_cols != (1 << s->s.h.tiling.log2_tile_cols) ||
changed) {
int n_range_coders;
VPXRangeCoder *rc;
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
