This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/7.1 in repository ffmpeg.
commit 57e6b932604cdbf01db9621584109fc0f875c79e Author: Ruikai Peng <[email protected]> AuthorDate: Fri Jan 16 22:32:35 2026 -0500 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon May 4 15:57:03 2026 +0200 libavfilter/showcwt: fix OOB write for DU/RL position init In config_output() for direction=DU/RL, the position is initialized to s->sono_size, which equals h or w when bar=0. That position is later used as an in-bounds pixel coordinate without clamping in draw(), causing writes past the end of the output planes. Repro: ffmpeg -f lavfi -i sine=frequency=1000:sample_rate=44100 \ -filter_complex "[0:a]showcwt=s=640x512:bar=0:direction=du[v]" \ -map "[v]" -frames:v 1 -f null - AddressSanitizer: heap-buffer-overflow ... WRITE of size 1 Initialize and wrap the DU/RL position to sono_size - 1 (or 0 when empty), preventing out-of-bounds row/column writes when bar=0 while preserving existing slide behavior. (cherry picked from commit 905a4324030e859a95bbb9901998c55128b7150d) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/avf_showcwt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/avf_showcwt.c b/libavfilter/avf_showcwt.c index 760a07f2ff..f26b89a81f 100644 --- a/libavfilter/avf_showcwt.c +++ b/libavfilter/avf_showcwt.c @@ -1021,7 +1021,7 @@ static int config_output(AVFilterLink *outlink) break; case DIRECTION_RL: case DIRECTION_DU: - s->pos = s->sono_size; + s->pos = FFMAX(s->sono_size - 1, 0); break; } @@ -1096,7 +1096,7 @@ static int output_frame(AVFilterContext *ctx) case DIRECTION_RL: s->pos--; if (s->pos < 0) { - s->pos = s->sono_size; + s->pos = FFMAX(s->sono_size - 1, 0); s->new_frame = 1; } break; @@ -1110,7 +1110,7 @@ static int output_frame(AVFilterContext *ctx) case DIRECTION_DU: s->pos--; if (s->pos < 0) { - s->pos = s->sono_size; + s->pos = FFMAX(s->sono_size - 1, 0); s->new_frame = 1; } break; @@ -1124,7 +1124,7 @@ static int output_frame(AVFilterContext *ctx) break; case DIRECTION_RL: case DIRECTION_DU: - s->pos = s->sono_size; + s->pos = FFMAX(s->sono_size - 1, 0); break; } break; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
