PR #23159 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23159 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23159.patch
Fixes: poc_magicyuv.avi Fixes: out of array access Found-by: Ori Hollander of the JFrog Vulnerability Research team >From ed834bd0a291eca7b7093632a6995f3a27077376 Mon Sep 17 00:00:00 2001 From: Ori Hollander <[email protected]> Date: Sat, 9 May 2026 00:00:00 +0000 Subject: [PATCH 1/3] avcodec/magicyuv: reject slice_height misaligned with chroma vshift Fixes: poc_magicyuv.avi Fixes: out of array access Found-by: Ori Hollander of the JFrog Vulnerability Research team --- libavcodec/magicyuv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 46d474a24b..ea8a4007b6 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -553,6 +553,13 @@ static int magy_decode_frame(AVCodecContext *avctx, AVFrame *p, "invalid slice height: %d\n", s->slice_height); return AVERROR_INVALIDDATA; } + if (s->vshift[1] && (s->slice_height & ((1 << s->vshift[1]) - 1))) { + av_log(avctx, AV_LOG_ERROR, + "slice_height %d is not aligned to chroma vertical " + "subsampling (must be a multiple of %d)\n", + s->slice_height, 1 << s->vshift[1]); + return AVERROR_INVALIDDATA; + } bytestream2_skipu(&gb, 4); -- 2.52.0 >From 8cb53d0ea6d537ee9ebae59cd0581f4c1be235ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sat, 9 May 2026 00:00:00 +0000 Subject: [PATCH 2/3] avcodec/magicyuv: Expand the s->interlaced slice-height sanity check Fixes: poc_magicyuv.avi Fixes: out of array access Found-by: Ori Hollander of the JFrog Vulnerability Research team --- libavcodec/magicyuv.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index ea8a4007b6..f27f44db13 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -570,15 +570,13 @@ static int magy_decode_frame(AVCodecContext *avctx, AVFrame *p, return AVERROR_INVALIDDATA; } - if (s->interlaced) { - if ((s->slice_height >> s->vshift[1]) < 2) { - av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); - return AVERROR_INVALIDDATA; - } - if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) { - av_log(avctx, AV_LOG_ERROR, "impossible height\n"); - return AVERROR_INVALIDDATA; - } + if ((s->slice_height >> s->vshift[1]) <= s->interlaced) { + av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); + return AVERROR_INVALIDDATA; + } + if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) <= s->interlaced) { + av_log(avctx, AV_LOG_ERROR, "impossible height\n"); + return AVERROR_INVALIDDATA; } if (bytestream2_get_bytes_left(&gb) <= s->nb_slices * s->planes * 5) -- 2.52.0 >From 54007c2ab742c311681baa908f5f350f513925a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 19 May 2026 19:49:42 +0200 Subject: [PATCH 3/3] avcodec/magicyuv: Fix 1 line MEDIAN slices No testcase Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/magicyuv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index f27f44db13..94e55ebb04 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -225,7 +225,8 @@ static int magy_decode_slice10(AVCodecContext *avctx, void *tdata, s->llviddsp.add_left_pred_int16(dst, dst, max, width, 0); dst += stride; } - lefttop = left = dst[0]; + if (1 + interlaced < height) + lefttop = left = dst[0]; for (k = 1 + interlaced; k < height; k++) { magicyuv_median_pred16(dst, dst - fake_stride, dst, width, &left, &lefttop, max); lefttop = left = dst[0]; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
