[FFmpeg-devel] [PATCH] avfilter/showcwt: fix out-of-bounds read in DU scroll mode

jiale yao via ffmpeg-devel Thu, 28 May 2026 23:10:48 -0700

In output_frame(), when slide=scroll and direction=DU, the scroll loop
reads from dst + linesize. If bar=0, sono_size can equal h, so the last
iteration reads one row past the allocated frame buffer.


Limit the loop to sono_size - 1 to avoid reading past the last row.

Repro:
./ffmpeg -f lavfi -i "sine=frequency=440:duration=1" \
  -filter_complex 
"[0:a]showcwt=direction=du:slide=scroll:bar=0:size=640x512[outv]" \
  -map "[outv]" -f null -

 AddressSanitizer: heap-buffer-overflow on address 0x7659f41dc820 at pc 
0x765a08c39f37 bp 0x7659fd1edef0 sp 0x7659fd1ed698
READ of size 640 at 0x7659f41dc820 thread T17 (fc0)
    #0 0x765a08c39f36 in __interceptor_memmove 
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:810
    #1 0x573a9da79382 in memmove 
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:36
    #2 0x573a9da79382 in output_frame src/libavfilter/avf_showcwt.c:1066
    #3 0x573a9da7b7f7 in activate src/libavfilter/avf_showcwt.c:1277
    #4 0x573a9daaddb3 in ff_filter_activate src/libavfilter/avfilter.c:1457
    #5 0x573a9dac0907 in push_frame src/libavfilter/buffersrc.c:201
    #6 0x573a9dac0907 in av_buffersrc_add_frame_flags 
src/libavfilter/buffersrc.c:273
    #7 0x573a9d9b8bcd in send_frame src/fftools/ffmpeg_filter.c:3231
    #8 0x573a9d9b8bcd in filter_thread src/fftools/ffmpeg_filter.c:3369
    #9 0x573a9d9ecd00 in task_wrapper src/fftools/ffmpeg_sched.c:2694
    #10 0x765a08694ac2 in start_thread nptl/pthread_create.c:442
    #11 0x765a087268cf  (/lib/x86_64-linux-gnu/libc.so.6+0x1268cf)

Signed-off-by: jiale yao <[email protected]>
---
 libavfilter/avf_showcwt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/avf_showcwt.c b/libavfilter/avf_showcwt.c
index 839bdc7983..4c4edaa768 100644
--- a/libavfilter/avf_showcwt.c
+++ b/libavfilter/avf_showcwt.c
@@ -1060,7 +1060,7 @@ static int output_frame(AVFilterContext *ctx)
             for (int p = 0; p < nb_planes; p++) {
                 ptrdiff_t linesize = s->outpicref->linesize[p];
 
-                for (int y = 0; y < s->sono_size; y++) {
+                for (int y = 0; y < s->sono_size - 1; y++) {
                     uint8_t *dst = s->outpicref->data[p] + y * linesize;
 
                     memmove(dst, dst + linesize, s->w);
-- 
2.34.1

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avfilter/showcwt: fix out-of-bounds read in DU scroll mode

Reply via email to