From b1942734c7cbcdc9034034373abcc9ecb9644c47 From: Paul B Mahol Date: Mon Nov 27 11:45:34 2023 +0100 Subject: avfilter/af_afwtdn: fix crash with EOF handling References: https://bugzilla.opensuse.org/1223253 References: CVE-2023-50007 diff -Nura ffmpeg-5.1.4/libavfilter/af_afwtdn.c ffmpeg-5.1.4_new/libavfilter/af_afwtdn.c --- ffmpeg-5.1.4/libavfilter/af_afwtdn.c 2023-11-10 07:38:51.000000000 +0800 +++ ffmpeg-5.1.4_new/libavfilter/af_afwtdn.c 2024-04-25 16:14:12.016919074 +0800 @@ -410,6 +410,7 @@ uint64_t sn; int64_t eof_pts; + int eof; int wavelet_type; int channels; @@ -1071,7 +1072,7 @@ s->drop_samples = 0; } else { if (s->padd_samples < 0 && eof) { - out->nb_samples += s->padd_samples; + out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples); s->padd_samples = 0; } if (!eof) @@ -1210,23 +1211,26 @@ FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink); - ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); - if (ret < 0) - return ret; - if (ret > 0) - return filter_frame(inlink, in); + if (!s->eof) { + ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); + if (ret < 0) + return ret; + if (ret > 0) + return filter_frame(inlink, in); + } if (ff_inlink_acknowledge_status(inlink, &status, &pts)) { - if (status == AVERROR_EOF) { - while (s->padd_samples != 0) { - ret = filter_frame(inlink, NULL); - if (ret < 0) - return ret; - } - ff_outlink_set_status(outlink, status, pts); - return ret; - } + if (status == AVERROR_EOF) + s->eof = 1; } + + if (s->eof && s->padd_samples != 0) { + return filter_frame(inlink, NULL); + } else if (s->eof) { + ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts); + return 0; + } + FF_FILTER_FORWARD_WANTED(outlink, inlink); return FFERROR_NOT_READY;