zoneminder

mirror/zoneminder

Fork 0

mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-06-22 20:50:06 -04:00

Commit Graph

Author	SHA1	Message	Date
SteveGilvarry	7e15324385	fix: corrupted scaled/converted output for rotated monitors — SWScale guessed buffer alignment from width SWScale::Convert chose av_image_fill_arrays alignment by heuristic (width % 32 ? 1 : 32) for both buffers. Image buffers are always laid out align-32, so any width not divisible by 32 made Convert read luma rows 16 bytes short and chroma planes from packed offsets: diagonal shear plus garbage chroma. Rotating a monitor is what produces such widths (1280x720 ROTATE_270 -> 720 wide, 3840x2160 ROTATE_90 -> 2160 wide, both % 32 == 16), so every scaled view and every re-encode of a rotated monitor was corrupted while unrotated monitors (1280/2688/3840 all % 32 == 0) were untouched. The rotate/flip segfault fix exposed this: before it, rotated planar frames crashed zmc before reaching Scale. Alignment is a fact about how a buffer was laid out, not something derivable from dimensions. Convert now takes explicit in/out alignment: Image::Scale passes 32/32, the videostore encode path mirrors get_out_frame's allocation choice, libvnc passes 1 (packed VNC framebuffer) and 32 (Image WriteBuffer). Remove the unused SetDefaults/ConvertDefaults API rather than threading alignments through dead code. Tests: new Scale regression case on a 720x1280 YUV420P image (column-banded luma, uniform chroma) fails before the fix exactly as observed live (sheared rows, V plane reading 0) and passes after. Full suite 84/84. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-13 10:19:09 +10:00
SteveGilvarry	ee366cdf78	fix: rotate/flip segfault from AV_CEIL_RSHIFT on unsigned dimensions Image::Rotate and Image::Flip computed chroma plane dimensions with AV_CEIL_RSHIFT(width, log2_chroma_w). The macro's runtime form is -((-(a)) >> (b)), which relies on arithmetic right shift of a negative value and is only valid for signed operands - FFmpeg always passes int. Image::width/height are unsigned, so the negation wraps, the shift is logical, and the result is 2^31 + ceil(w/2^b) instead of ceil(w/2^b): for 1280x720 the chroma rotate received src_w=2147484288 and src_h=2147484008 (captured in gdb), writing gigabytes out of bounds. Effect: zmc's decoder thread segfaulted on the first decoded frame of any monitor with a rotated or flipped orientation and a planar pixel format - a monitor with decoding Always crash-loops. Replace the macro at both sites with an explicit unsigned ceiling shift helper and a comment documenting the trap. Tests: new tests/zm_image.cpp covers Rotate 90/180/270 and Flip on YUV420P with per-plane marker pixels, plus odd dimensions exercising the chroma ceiling. The Rotate cases segfault before this fix (verified, exit 139) and pass after. Full suite 85/85 via ctest. Live-verified on a 1280x720 ROTATE_270 monitor with decoding Always: pre-fix crash within seconds, post-fix 90s clean run under gdb. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 19:42:52 +10:00

Author

SHA1

Message

Date

SteveGilvarry

7e15324385

fix: corrupted scaled/converted output for rotated monitors — SWScale guessed buffer alignment from width

SWScale::Convert chose av_image_fill_arrays alignment by heuristic
(width % 32 ? 1 : 32) for both buffers. Image buffers are always laid
out align-32, so any width not divisible by 32 made Convert read luma
rows 16 bytes short and chroma planes from packed offsets: diagonal
shear plus garbage chroma. Rotating a monitor is what produces such
widths (1280x720 ROTATE_270 -> 720 wide, 3840x2160 ROTATE_90 -> 2160
wide, both % 32 == 16), so every scaled view and every re-encode of a
rotated monitor was corrupted while unrotated monitors (1280/2688/3840
all % 32 == 0) were untouched. The rotate/flip segfault fix exposed
this: before it, rotated planar frames crashed zmc before reaching
Scale.

Alignment is a fact about how a buffer was laid out, not something
derivable from dimensions. Convert now takes explicit in/out alignment:
Image::Scale passes 32/32, the videostore encode path mirrors
get_out_frame's allocation choice, libvnc passes 1 (packed VNC
framebuffer) and 32 (Image WriteBuffer). Remove the unused
SetDefaults/ConvertDefaults API rather than threading alignments
through dead code.

Tests: new Scale regression case on a 720x1280 YUV420P image
(column-banded luma, uniform chroma) fails before the fix exactly as
observed live (sheared rows, V plane reading 0) and passes after.
Full suite 84/84.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

2026-06-13 10:19:09 +10:00

SteveGilvarry

ee366cdf78

fix: rotate/flip segfault from AV_CEIL_RSHIFT on unsigned dimensions

Image::Rotate and Image::Flip computed chroma plane dimensions with
AV_CEIL_RSHIFT(width, log2_chroma_w). The macro's runtime form is
-((-(a)) >> (b)), which relies on arithmetic right shift of a negative
value and is only valid for signed operands - FFmpeg always passes int.
Image::width/height are unsigned, so the negation wraps, the shift is
logical, and the result is 2^31 + ceil(w/2^b) instead of ceil(w/2^b):
for 1280x720 the chroma rotate received src_w=2147484288 and
src_h=2147484008 (captured in gdb), writing gigabytes out of bounds.

Effect: zmc's decoder thread segfaulted on the first decoded frame of
any monitor with a rotated or flipped orientation and a planar pixel
format - a monitor with decoding Always crash-loops.

Replace the macro at both sites with an explicit unsigned ceiling
shift helper and a comment documenting the trap.

Tests: new tests/zm_image.cpp covers Rotate 90/180/270 and Flip on
YUV420P with per-plane marker pixels, plus odd dimensions exercising
the chroma ceiling. The Rotate cases segfault before this fix (verified,
exit 139) and pass after. Full suite 85/85 via ctest. Live-verified on
a 1280x720 ROTATE_270 monitor with decoding Always: pre-fix crash
within seconds, post-fix 90s clean run under gdb.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

2026-06-11 19:42:52 +10:00

2 Commits