[FFmpeg-devel] [PATCH] libavfilter/vf_stack.c: check input height for avoiding crashed

[hung kuishing]

In the case of vertical layout, if the chroma height is ceil rounded when shifted to the right,
the total height of the chroma input will be greater than the output height,
and a crash occurs.

So make sure that the luma height can be shifted to the right to get an integer chroma height

Signed-off-by: clarkh <hungkuishing at outlook.com>
---
 libavfilter/vf_stack.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/libavfilter/vf_stack.c b/libavfilter/vf_stack.c
index 331dc7b3e3..877867938f 100644
--- a/libavfilter/vf_stack.c
+++ b/libavfilter/vf_stack.c
@@ -220,6 +220,11 @@ static int config_output(AVFilterLink *outlink)
                 return ret;
             }
 
+            if (inlink->h % (1 << s->desc->log2_chroma_h)) {
+                av_log(ctx, AV_LOG_ERROR, "Input %d height %d does not divisible by %d\n", i, inlink->h, (1 << s->desc->log2_chroma_h));
+                return AVERROR(EINVAL);
+            }
+
             item->height[1] = item->height[2] = AV_CEIL_RSHIFT(inlink->h, s->desc->log2_chroma_h);
             item->height[0] = item->height[3] = inlink->h;
 
@@ -278,6 +283,11 @@ static int config_output(AVFilterLink *outlink)
                     return ret;
                 }
 
+                if ((s->nb_grid_rows > 1) && (inlink->h % (1 << s->desc->log2_chroma_h))) {
+                    av_log(ctx, AV_LOG_ERROR, "Input %d height %d does not divisible by %d\n", k, inlink->h, (1 << s->desc->log2_chroma_h));
+                    return AVERROR(EINVAL);
+                }
+
                 item->height[1] = item->height[2] = AV_CEIL_RSHIFT(inlink->h, s->desc->log2_chroma_h);
                 item->height[0] = item->height[3] = inlink->h;
 
@@ -302,6 +312,7 @@ static int config_output(AVFilterLink *outlink)
         char *arg2, *p2, *saveptr2 = NULL;
         char *arg3, *p3, *saveptr3 = NULL;
         int inw, inh, size;
+        int is_multi_row = av_strnstr(s->layout, "h0", strlen(s->layout)) != NULL;
 
         if (s->fillcolor_enable) {
             ff_draw_init(&s->draw, ctx->inputs[0]->format, 0);
@@ -321,6 +332,11 @@ static int config_output(AVFilterLink *outlink)
                 return ret;
             }
 
+            if (is_multi_row && (inlink->h % (1 << s->desc->log2_chroma_h))) {
+                av_log(ctx, AV_LOG_ERROR, "Input %d height %d does not divisible by %d\n", i, inlink->h, (1 << s->desc->log2_chroma_h));
+                return AVERROR(EINVAL);
+            }
+
             item->height[1] = item->height[2] = AV_CEIL_RSHIFT(inlink->h, s->desc->log2_chroma_h);
             item->height[0] = item->height[3] = inlink->h;
 
-- 
2.34.1