This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 223764a43e08151fb034b08db62bff09771ded07 Author: Bogdan Lisman <[email protected]> AuthorDate: Mon Jun 15 04:07:59 2026 +0300 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon Jun 15 23:57:25 2026 +0200 avcodec/snowenc: fix out-of-bounds memcpy in get_block_rd() for narrow planes For an edge block, get_block_rd() copies the full-OBMC-weight central region directly from cur[] into the reconstruction. It moved one boundary to block_w/block_h but overwrote the in-plane clip (x0/x1/y0/y1 computed earlier from the plane size) instead of intersecting with it. When a plane is narrower than block_w - e.g. a tiny field/chroma plane produced by the mcdeint filter - the right-edge case left x0 = block_w while x1 stayed clipped to w - sx < block_w, so x1 - x0 became negative and was passed to memcpy() as a huge size_t, crashing with SIGSEGV. Intersect the moved boundaries with the existing clip so the copy region stays inside the plane and the memcpy length can never be negative. Reproducible with the GPL mcdeint filter in slow/extra_slow mode, e.g. ffmpeg -f lavfi -i testsrc=s=5x32 -vf mcdeint=mode=slow -f null - This is a separate crash from the get_dc() SIGFPE (ticket #7779) reached through the same iterative_me() path. Add a lavfi-based FATE regression test. Signed-off-by: Bogdan Lisman <[email protected]> (cherry picked from commit 11684476268e5c518f70e9e120f4fc6ed58ff3ef) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/snowenc.c | 9 +++++---- tests/fate/filter-video.mak | 3 +++ tests/ref/fate/filter-mcdeint-slow-edge | 8 ++++++++ 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 5312d48e99..a30a895200 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -820,13 +820,14 @@ static int get_block_rd(SnowEncContext *enc, int mb_x, int mb_y, && (mb_x == 0 || mb_x == b_stride-1) && (mb_y == 0 || mb_y == b_height-1)){ if(mb_x == 0) - x1 = block_w; + x1 = FFMIN(x1, block_w); else - x0 = block_w; + x0 = FFMAX(x0, block_w); if(mb_y == 0) - y1 = block_h; + y1 = FFMIN(y1, block_h); else - y0 = block_h; + y0 = FFMAX(y0, block_h); + x0 = FFMIN(x0, x1); for(y=y0; y<y1; y++) memcpy(dst + sx+x0 + (sy+y)*ref_stride, cur + x0 + y*ref_stride, x1-x0); } diff --git a/tests/fate/filter-video.mak b/tests/fate/filter-video.mak index 07b8632c6f..cfb9b55462 100644 --- a/tests/fate/filter-video.mak +++ b/tests/fate/filter-video.mak @@ -51,6 +51,9 @@ fate-filter-mcdeint-medium: CMD = framecrc -flags bitexact -idct simple -i $(TAR FATE_FILTER_SAMPLES-$(call FILTERDEMDEC, MCDEINT, MPEGTS, MPEG2VIDEO, SNOW_ENCODER) += $(FATE_MCDEINT) +FATE_FILTER-$(call FILTERFRAMECRC, MCDEINT TESTSRC, SNOW_ENCODER) += fate-filter-mcdeint-slow-edge +fate-filter-mcdeint-slow-edge: CMD = framecrc -auto_conversion_filters -flags bitexact -lavfi testsrc=s=5x32:r=25:d=1,mcdeint=mode=slow -frames:v 3 + FATE_FILTER_SAMPLES-$(call FILTERDEMDEC, CODECVIEW, RM, RV40) += fate-filter-codecview-mvs fate-filter-codecview-mvs: CMD = framecrc -flags2 +export_mvs -i $(TARGET_SAMPLES)/real/spygames-2MB.rmvb -vf codecview=mv=pf+bf+bb -frames:v 60 -an diff --git a/tests/ref/fate/filter-mcdeint-slow-edge b/tests/ref/fate/filter-mcdeint-slow-edge new file mode 100644 index 0000000000..c6411b3ada --- /dev/null +++ b/tests/ref/fate/filter-mcdeint-slow-edge @@ -0,0 +1,8 @@ +#tb 0: 1/25 +#media_type 0: video +#codec_id 0: rawvideo +#dimensions 0: 5x32 +#sar 0: 1/1 +0, 0, 0, 1, 480, 0xe8a1f302 +0, 1, 1, 1, 480, 0x0789f31c +0, 2, 2, 1, 480, 0x113af329 _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
