This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 461fb22053 avfilter/af_join: fix wrong loop bound in buffer dedup
(use-after-free)
461fb22053 is described below
commit 461fb220538f13fb4f971af5d7321459a4c84754
Author: Franciszek Kalinowski <[email protected]>
AuthorDate: Tue May 19 09:29:45 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Mon May 25 22:21:41 2026 +0000
avfilter/af_join: fix wrong loop bound in buffer dedup (use-after-free)
try_push_frame() decides whether an input buffer is already tracked by
testing
`j == i` (the channel index) instead of `j == nb_buffers`. Once an earlier
channel shared a buffer, nb_buffers falls behind i and a genuinely new
buffer is
never referenced, so it is freed while the output frame still points at it.
Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz
Smigielski.
---
libavfilter/af_join.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c
index de13f8f2dc..0ca6447662 100644
--- a/libavfilter/af_join.c
+++ b/libavfilter/af_join.c
@@ -469,7 +469,7 @@ static int try_push_frame(AVFilterContext *ctx)
for (j = 0; j < nb_buffers; j++)
if (s->buffers[j]->buffer == buf->buffer)
break;
- if (j == i)
+ if (j == nb_buffers)
s->buffers[nb_buffers++] = buf;
}
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
