PR #23380 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23380 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23380.patch
Found-by: Anthropic agents; validated and reported by Ada Logics. Signed-off-by: David Korczynski <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> # Summary of changes Briefly describe what this PR does and why. <!-- If this PR requires new FATE test samples, attach them to the PR and list their target paths below (relative to the fate-suite root). Attached filenames must match the sample's filename: ```fate-samples # e.g. vorbis/new-sample.ogg ``` --> >From 62423ec6191bf9b2d5c5a4429dd3dbfef2b1c398 Mon Sep 17 00:00:00 2001 From: David Korczynski <[email protected]> Date: Tue, 26 May 2026 12:00:00 +0000 Subject: [PATCH] avcodec/agm: validate actual src_y against prev plane in decode_inter_plane Found-by: Anthropic agents; validated and reported by Ada Logics. Signed-off-by: David Korczynski <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/agm.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index c13b4d963e..5d27d17274 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -409,12 +409,14 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size, int map = s->map[x]; if (orig_mv_x >= -32) { - if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h || - x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w) + int src_y = (s->blocks_h - 1 - y) * 8 - mv_y; + int src_x = x * 8 + mv_x; + if (src_y < 0 || src_y + 8 > h || + src_x < 0 || src_x + 8 > w) return AVERROR_INVALIDDATA; copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8, - prev->data[plane] + ((s->blocks_h - 1 - y) * 8 - mv_y) * prev->linesize[plane] + (x * 8 + mv_x), + prev->data[plane] + src_y * prev->linesize[plane] + src_x, frame->linesize[plane], prev->linesize[plane], 8); if (map) { s->idsp.idct(s->wblocks + x * 64); @@ -446,12 +448,14 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size, return ret; if (orig_mv_x >= -32) { - if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h || - x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w) + int src_y = (s->blocks_h - 1 - y) * 8 - mv_y; + int src_x = x * 8 + mv_x; + if (src_y < 0 || src_y + 8 > h || + src_x < 0 || src_x + 8 > w) return AVERROR_INVALIDDATA; copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8, - prev->data[plane] + ((s->blocks_h - 1 - y) * 8 - mv_y) * prev->linesize[plane] + (x * 8 + mv_x), + prev->data[plane] + src_y * prev->linesize[plane] + src_x, frame->linesize[plane], prev->linesize[plane], 8); if (map) { s->idsp.idct(s->block); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
