This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/6.1 in repository ffmpeg.
commit c7b0de1fbdf169650b461543129644b0db1f2469 Author: marcos ashton <[email protected]> AuthorDate: Fri Mar 20 23:49:25 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon May 4 17:13:31 2026 +0200 avfilter/af_pan: fix sscanf() return value checks in parse_channel_name sscanf() returns EOF (-1) on input failure, which is non-zero and passes a bare truthy check. When this happens, the %n directive is never processed, so len stays uninitialized. Using that value to advance the arg pointer causes an out-of-bounds read and crash. Check for >= 1 instead, matching the fix applied to the other sscanf() call in init() by commit b5b6391d64. Fixes: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/22451 Signed-off-by: marcos ashton <[email protected]> (cherry picked from commit a43ea8bff79f23257313fc3e1a884aea9b7633ae) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/af_pan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index a5414b9ffb..930d7675e9 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -69,7 +69,7 @@ static int parse_channel_name(char **arg, int *rchannel, int *rnamed) skip_spaces(arg); /* try to parse a channel name, e.g. "FL" */ - if (sscanf(*arg, "%7[A-Z]%n", buf, &len)) { + if (sscanf(*arg, "%7[A-Z]%n", buf, &len) >= 1) { channel_id = av_channel_from_string(buf); if (channel_id < 0) return channel_id; @@ -80,7 +80,7 @@ static int parse_channel_name(char **arg, int *rchannel, int *rnamed) return 0; } /* try to parse a channel number, e.g. "c2" */ - if (sscanf(*arg, "c%d%n", &channel_id, &len) && + if (sscanf(*arg, "c%d%n", &channel_id, &len) >= 1 && channel_id >= 0 && channel_id < MAX_CHANNELS) { *rchannel = channel_id; *rnamed = 0; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
