PR #23180 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23180 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23180.patch
try_push_frame() decides whether an input buffer is already tracked by testing `j == i` (the channel index) instead of `j == nb_buffers`. Once an earlier channel shared a buffer, nb_buffers falls behind i and a genuinely new buffer is never referenced, so it is freed while the output frame still points at it. Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. >From fe646b63e917816d312c6a1250a1e0071a8f7efb Mon Sep 17 00:00:00 2001 From: Franciszek Kalinowski <[email protected]> Date: Tue, 19 May 2026 09:29:45 +0200 Subject: [PATCH] avfilter/af_join: fix wrong loop bound in buffer dedup (use-after-free) try_push_frame() decides whether an input buffer is already tracked by testing `j == i` (the channel index) instead of `j == nb_buffers`. Once an earlier channel shared a buffer, nb_buffers falls behind i and a genuinely new buffer is never referenced, so it is freed while the output frame still points at it. Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. --- libavfilter/af_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c index de13f8f2dc..0ca6447662 100644 --- a/libavfilter/af_join.c +++ b/libavfilter/af_join.c @@ -469,7 +469,7 @@ static int try_push_frame(AVFilterContext *ctx) for (j = 0; j < nb_buffers; j++) if (s->buffers[j]->buffer == buf->buffer) break; - if (j == i) + if (j == nb_buffers) s->buffers[nb_buffers++] = buf; } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
