PR #23355 opened by Kery URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23355 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23355.patch
Reject USPP output buffer sizes that do not fit in the int stored in outbuf_size and later assigned to AVPacket.size. Reject cropdetect round values that would overflow while being normalized to an even value. Fixes: signed integer overflow in vf_uspp.c Fixes: signed integer overflow in vf_cropdetect.c Found-by: Kery Signed-off-by: Kery <[email protected]> >From 086b0e077d9c3d477ecd8246fefb3ce5ae59ee75 Mon Sep 17 00:00:00 2001 From: Kery <[email protected]> Date: Fri, 5 Jun 2026 09:46:35 +0800 Subject: [PATCH] avfilter/uspp,cropdetect: check integer overflows Reject USPP output buffer sizes that do not fit in the int stored in outbuf_size and later assigned to AVPacket.size. Reject cropdetect round values that would overflow while being normalized to an even value. Fixes: signed integer overflow in vf_uspp.c Fixes: signed integer overflow in vf_cropdetect.c Found-by: Kery Signed-off-by: Kery <[email protected]> --- libavfilter/vf_cropdetect.c | 8 +++++++- libavfilter/vf_uspp.c | 4 ++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_cropdetect.c b/libavfilter/vf_cropdetect.c index 7c14cd117e..86b54a9c2f 100644 --- a/libavfilter/vf_cropdetect.c +++ b/libavfilter/vf_cropdetect.c @@ -410,8 +410,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) // colorspace problems. if (s->round <= 1) s->round = 16; - if (s->round % 2) + if (s->round % 2) { + if (s->round > INT_MAX / 2) { + av_log(ctx, AV_LOG_ERROR, "round value %d is too large\n", s->round); + av_frame_free(&frame); + return AVERROR(EINVAL); + } s->round *= 2; + } shrink_by = w % s->round; w -= shrink_by; diff --git a/libavfilter/vf_uspp.c b/libavfilter/vf_uspp.c index c5efd44f92..81764185c8 100644 --- a/libavfilter/vf_uspp.c +++ b/libavfilter/vf_uspp.c @@ -438,6 +438,10 @@ static int config_input(AVFilterLink *inlink) return AVERROR(ENOMEM); } + if (((int64_t)width + BLOCK) * ((int64_t)height + BLOCK) > INT_MAX / 10) { + av_log(ctx, AV_LOG_ERROR, "output buffer size is too large\n"); + return AVERROR(EINVAL); + } uspp->outbuf_size = (width + BLOCK) * (height + BLOCK) * 10; if (!(uspp->outbuf = av_malloc(uspp->outbuf_size))) return AVERROR(ENOMEM); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
