This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/6.1 in repository ffmpeg.
commit f99879f3085c6151f8d3243384262dc98bdcdd24 Author: James Almer <[email protected]> AuthorDate: Sat Jan 3 21:31:30 2026 -0300 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon May 4 17:13:12 2026 +0200 avfilter/vf_stack: add checks for the final canvas dimensions Prevents potential integer overflows when trying to stitch absurdly huge images together. Fixes #YWH-PGM40646-38. Signed-off-by: James Almer <[email protected]> (cherry picked from commit 4fad1367040e093c8a52f4f34054e4feb5203243) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/vf_stack.c | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/libavfilter/vf_stack.c b/libavfilter/vf_stack.c index 331dc7b3e3..a7689828dd 100644 --- a/libavfilter/vf_stack.c +++ b/libavfilter/vf_stack.c @@ -227,6 +227,8 @@ static int config_output(AVFilterLink *outlink) item->y[1] = item->y[2] = AV_CEIL_RSHIFT(height, s->desc->log2_chroma_h); item->y[0] = item->y[3] = height; + if (height > INT_MAX - ctx->inputs[i]->h) + return AVERROR(EINVAL); height += ctx->inputs[i]->h; } } @@ -252,6 +254,8 @@ static int config_output(AVFilterLink *outlink) return ret; } + if (width > INT_MAX - ctx->inputs[i]->w) + return AVERROR(EINVAL); width += ctx->inputs[i]->w; } } @@ -287,8 +291,13 @@ static int config_output(AVFilterLink *outlink) item->y[1] = item->y[2] = AV_CEIL_RSHIFT(inh, s->desc->log2_chroma_h); item->y[0] = item->y[3] = inh; + + if (inw > INT_MAX - ctx->inputs[k]->w) + return AVERROR(EINVAL); inw += ctx->inputs[k]->w; } + if (height > INT_MAX - row_height) + return AVERROR(EINVAL); height += row_height; if (!i) width = inw; @@ -339,26 +348,41 @@ static int config_output(AVFilterLink *outlink) if (size == i || size < 0 || size >= s->nb_inputs) return AVERROR(EINVAL); - if (!j) + if (!j) { + if (inw > INT_MAX - ctx->inputs[size]->w) + return AVERROR(EINVAL); inw += ctx->inputs[size]->w; - else + } else { + if (inh > INT_MAX - ctx->inputs[size]->w) + return AVERROR(EINVAL); inh += ctx->inputs[size]->w; + } } else if (sscanf(arg3, "h%d", &size) == 1) { if (size == i || size < 0 || size >= s->nb_inputs) return AVERROR(EINVAL); - if (!j) + if (!j) { + if (inw > INT_MAX - ctx->inputs[size]->h) + return AVERROR(EINVAL); inw += ctx->inputs[size]->h; - else + } else { + if (inh > INT_MAX - ctx->inputs[size]->h) + return AVERROR(EINVAL); inh += ctx->inputs[size]->h; + } } else if (sscanf(arg3, "%d", &size) == 1) { if (size < 0) return AVERROR(EINVAL); - if (!j) + if (!j) { + if (inw > INT_MAX - size) + return AVERROR(EINVAL); inw += size; - else + } else { + if (inh > INT_MAX - size) + return AVERROR(EINVAL); inh += size; + } } else { return AVERROR(EINVAL); } @@ -372,6 +396,8 @@ static int config_output(AVFilterLink *outlink) item->y[1] = item->y[2] = AV_CEIL_RSHIFT(inh, s->desc->log2_chroma_h); item->y[0] = item->y[3] = inh; + if (inlink->w > INT_MAX - inw || inlink->h > INT_MAX - inh) + return AVERROR(EINVAL); width = FFMAX(width, inlink->w + inw); height = FFMAX(height, inlink->h + inh); } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
