This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/6.1 in repository ffmpeg.
commit 0533af2893d3b40f2d71adb0e03ba289c93dee27 Author: Zhao Zhili <[email protected]> AuthorDate: Mon Mar 23 16:21:24 2026 +0800 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon May 4 17:13:33 2026 +0200 avfilter/vf_ssim360: fix integer overflow in tape_length allocation tape_length * 8 overflows 32-bit int for large input widths. Then av_malloc_array() allocates a tiny buffer while the subsequent loop writes tape_length*8 BilinearMap entries, causing heap-buffer-overflow. Validate the value in float before converting to int and left shifting, to avoid both float-to-int and signed left shift overflow UB. Also split av_malloc_array() arguments to avoid the multiplication overflow. Fixes: #21511 Signed-off-by: Zhao Zhili <[email protected]> (cherry picked from commit b62ae766c166ac7e83c7f0bd7e022902bac320b1) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/vf_ssim360.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_ssim360.c b/libavfilter/vf_ssim360.c index 3dec430bff..354ded1060 100644 --- a/libavfilter/vf_ssim360.c +++ b/libavfilter/vf_ssim360.c @@ -1033,10 +1033,16 @@ generate_eye_tape_map(SSIM360Context *s, float x_range = end_x - start_x; // Ensure tape length is a multiple of 4, for full SSIM block coverage - int tape_length = s->tape_length[plane] = ((int)ROUNDED_DIV(x_range, 4)) << 2; + float tape_length_f = ROUNDED_DIV(x_range, 4); + int tape_length; - s->ref_tape_map[plane][eye] = av_malloc_array(tape_length * 8, sizeof(BilinearMap)); - s->main_tape_map[plane][eye] = av_malloc_array(tape_length * 8, sizeof(BilinearMap)); + if (!(tape_length_f > 0.f) || tape_length_f > INT_MAX / 4.0f) + return AVERROR(EINVAL); + + tape_length = s->tape_length[plane] = (int)tape_length_f << 2; + + s->ref_tape_map[plane][eye] = av_malloc_array(tape_length, 8 * sizeof(BilinearMap)); + s->main_tape_map[plane][eye] = av_malloc_array(tape_length, 8 * sizeof(BilinearMap)); if (!s->ref_tape_map[plane][eye] || !s->main_tape_map[plane][eye]) return AVERROR(ENOMEM); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
