PR #23404 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23404 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23404.patch
Fixes: integer overflow Found-by: Kery (Qi Kery <[email protected]>) Signed-off-by: Michael Niedermayer <[email protected]> >From 90fb425de5a6455baa463211004b27ca081c203b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 8 Jun 2026 02:30:38 +0200 Subject: [PATCH] avfilter/v360: reject out-of-range output dimensions Fixes: integer overflow Found-by: Kery (Qi Kery <[email protected]>) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/vf_v360.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_v360.c b/libavfilter/vf_v360.c index 4384fa578b..6695e55462 100644 --- a/libavfilter/vf_v360.c +++ b/libavfilter/vf_v360.c @@ -4295,6 +4295,20 @@ static int v360_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) return 0; } +static int get_output_dimension(AVFilterContext *ctx, const char *name, + float val, int *dim) +{ + if (!isfinite(val) || val < 1.f || val > INT16_MAX) { + av_log(ctx, AV_LOG_ERROR, + "Output %s %g is outside the allowed range [1, %d].\n", + name, val, INT16_MAX); + return AVERROR(EINVAL); + } + + *dim = lrintf(val); + return 0; +} + static int config_output(AVFilterLink *outlink) { AVFilterContext *ctx = outlink->src; @@ -4783,11 +4797,17 @@ static int config_output(AVFilterLink *outlink) if (s->width > 0 && s->height <= 0 && s->h_fov > 0.f && s->v_fov > 0.f && s->out == FLAT && s->d_fov == 0.f) { w = s->width; - h = w / tanf(s->h_fov * M_PI / 360.f) * tanf(s->v_fov * M_PI / 360.f); + err = get_output_dimension(ctx, "height", + w / tanf(s->h_fov * M_PI / 360.f) * tanf(s->v_fov * M_PI / 360.f), &h); + if (err < 0) + return err; } else if (s->width <= 0 && s->height > 0 && s->h_fov > 0.f && s->v_fov > 0.f && s->out == FLAT && s->d_fov == 0.f) { h = s->height; - w = h / tanf(s->v_fov * M_PI / 360.f) * tanf(s->h_fov * M_PI / 360.f); + err = get_output_dimension(ctx, "width", + h / tanf(s->v_fov * M_PI / 360.f) * tanf(s->h_fov * M_PI / 360.f), &w); + if (err < 0) + return err; } else if (s->width > 0 && s->height > 0) { w = s->width; h = s->height; @@ -4802,6 +4822,13 @@ static int config_output(AVFilterLink *outlink) FFSWAP(int, w, h); } + if (w < 1 || w > INT16_MAX || h < 1 || h > INT16_MAX) { + av_log(ctx, AV_LOG_ERROR, + "Output dimensions %dx%d are outside the allowed range [1, %d].\n", + w, h, INT16_MAX); + return AVERROR(EINVAL); + } + s->width = w; s->height = h; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
