This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit af2a176fd2d07eeaaa5c9aee8f989f50fe98aa15 Author: Michael Niedermayer <[email protected]> AuthorDate: Sat May 2 19:24:38 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:24:59 2026 +0200 avcodec/hevc/ps: validate rep_format dimensions in multi-layer SPS When an SPS uses the multi-layer extension (nuh_layer_id > 0 with sps_max_sub_layers_minus1 == 7), width and height are taken from the VPS rep_format without the av_image_check_size() validation that the direct path performs. HEVC F.7.4.3.1.1 requires rep_format pic dimensions to satisfy the constraints in 7.4.3.2.1, including "pic_width_in_luma_samples shall not be equal to 0". Run the same av_image_check_size() check in the multi-layer-extension path so the SPS is rejected before it reaches setup_pps(). Fixes: VS-FF-2026-0003/poc.flv Fixes: out of array access Found-by: Vuln Seeker Cyber Security Team Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 0f5705959df6abd65bdc26608ecb65ce5d3b79c9) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/hevc/ps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index 46b38564d5..c67aab151d 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -1280,6 +1280,9 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->bit_depth = rf->bit_depth_luma; sps->width = rf->pic_width_in_luma_samples; sps->height = rf->pic_height_in_luma_samples; + if ((ret = av_image_check_size(sps->width, + sps->height, 0, avctx)) < 0) + return ret; sps->pic_conf_win.left_offset = rf->conf_win_left_offset; sps->pic_conf_win.right_offset = rf->conf_win_right_offset; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
