PR #20883 opened by thomasdullien URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20883 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20883.patch
For transparency: I am experimenting with an AI-assisted patch process, where the AI agent attempts to help root-cause analyze a crash by means of reproducing the crash with ASAN, making a recording with 'rr', and documenting the analysis at a granular level with verbatim quotes from the 'rr' trace. This root-cause analysis is then iteratively reviewed (e.g. as a human reviewer I check it for accuracy and plausibility) before a patch is generated. The process generates a detailed analysis report, an 'rr' trace that can be shared with other to help with the verification, and a patch. Given that it is unlear how to best share the 'rr' trace, I have only attached the detailed root-cause analysis document that was at the end of the iterative process. Tests have been run and pass. === Description === The YUV422 conversion functions process 2 rows at once but did not check whether a second row actually exists when srcSliceH is odd. With bottom-to-top processing (negative strides), this caused pu_2/pv_2 pointers to be set before the buffer start, leading to out-of-bounds memory access when accessing pu_2[0] or pv_2[0]. This patch adds a check to skip row 2 processing in the final remainder section when srcSliceH is odd, preventing access to non-existent rows while still processing all available source lines. Performance impact is minimal: one bitwise AND operation only in the remainder section (when width is not divisible by 4), so performance regression is unlikely to be severe. Fixes: https://trac.ffmpeg.org/ticket/11691 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> From 95b96efa7bc7b587e857b3e780d72b1192cb6a49 Mon Sep 17 00:00:00 2001 From: Thomas Dullien <[email protected]> Date: Sun, 9 Nov 2025 12:16:27 +0100 Subject: [PATCH] swscale/yuv2rgb: fix out-of-bounds access with odd srcSliceH in YUV422 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The YUV422 conversion functions process 2 rows at once but did not check whether a second row actually exists when srcSliceH is odd. With bottom-to-top processing (negative strides), this caused pu_2/pv_2 pointers to be set before the buffer start, leading to out-of-bounds memory access when accessing pu_2[0] or pv_2[0]. This patch adds a check to skip row 2 processing in the final remainder section when srcSliceH is odd, preventing access to non-existent rows while still processing all available source lines. Performance impact is minimal: one bitwise AND operation only in the remainder section (when width is not divisible by 4), so performance regression is unlikely to be severe. Fixes: https://trac.ffmpeg.org/ticket/11691 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> --- libswscale/yuv2rgb.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 48089760f5..cb5bcfaac2 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -364,8 +364,10 @@ const int *sws_getCoefficients(int colorspace) LOADCHROMA(1, 0); \ PUTFUNC(1, 0, 0); \ \ - LOADCHROMA(2, 0); \ - PUTFUNC(2, 0, 0 + 8); \ + if (!(srcSliceH & 1)) { \ + LOADCHROMA(2, 0); \ + PUTFUNC(2, 0, 0 + 8); \ + } \ ENDYUV2RGBFUNC() #define LOADDITHER16 \ -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
