[FFmpeg-cvslog] avfilter/vf_scale: fix off-by-one in loop bounds

[Niklas Haas]

ffmpeg | branch: master | Niklas Haas <git at haasn.dev> | Mon Nov 25 14:27:38 2024 +0100| [bcbf3a56303d043b1c74e500772ed73a5ebab759] | committer: Niklas Haas

avfilter/vf_scale: fix off-by-one in loop bounds

Results in over-read of the array. Fortunately, the excess element was
never actually used, but it still triggers ASAN (and could in theory trigger
a segfault).

Fixes: 04ce01df0bb2d66e143bcfcea439afc2a1b8d96e

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bcbf3a56303d043b1c74e500772ed73a5ebab759
---

 libavfilter/vf_scale.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c
index 5d1eda1a16..d86e50f79b 100644
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@@ -482,7 +482,7 @@ static int query_formats(const AVFilterContext *ctx,
     formats = ff_all_color_spaces();
     for (int i = 0; i < formats->nb_formats; i++) {
         if (!sws_test_colorspace(formats->formats[i], 0)) {
-            for (int j = i--; j < formats->nb_formats; j++)
+            for (int j = i--; j + 1 < formats->nb_formats; j++)
                 formats->formats[j] = formats->formats[j + 1];
             formats->nb_formats--;
         }
@@ -501,7 +501,7 @@ static int query_formats(const AVFilterContext *ctx,
         formats = ff_all_color_spaces();
         for (int i = 0; i < formats->nb_formats; i++) {
             if (!sws_test_colorspace(formats->formats[i], 1)) {
-                for (int j = i--; j < formats->nb_formats; j++)
+                for (int j = i--; j + 1 < formats->nb_formats; j++)
                     formats->formats[j] = formats->formats[j + 1];
                 formats->nb_formats--;
             }