From 3beaa2d70f99e6ec28c0120385ccd2abc922be25 Mon Sep 17 00:00:00 2001 From: Russell Greene Date: Sat, 29 Nov 2025 12:42:13 -0700 Subject: [PATCH] hwcontext_vulkan: remove VK_HOST_IMAGE_COPY_MEMCPY flag Reading the spec for what this flag means, it copies the data verbatim, including any swizzling/tiling, this has two issues 1. the format may not be what ffmpeg expects elsewhere, as it is expecing normal pitch linear host memeory in `swf` 2. the size of the copied data may not match the size of buffer provided, causing heap buffer overflow It seems like addition of this flag is an oversight as it seems to be for caching/backups of image data, just to be used with copying back to the GPU with the MEMCPY flag, which is *not* how its used in ffmpeg. Additionally, set memoryRowLength as if it isn't set, it assumes pitch = width_in_bytes, which I don't think is necessarily the case --- libavutil/hwcontext_vulkan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c index a2caaa0959..aac7768033 100644 --- a/libavutil/hwcontext_vulkan.c +++ b/libavutil/hwcontext_vulkan.c @@ -4440,7 +4440,6 @@ static int vulkan_transfer_host(AVHWFramesContext *hwfc, AVFrame *hwf, }; VkCopyMemoryToImageInfoEXT copy_info = { .sType = VK_STRUCTURE_TYPE_COPY_MEMORY_TO_IMAGE_INFO_EXT, - .flags = VK_HOST_IMAGE_COPY_MEMCPY_EXT, .regionCount = 1, .pRegions = ®ion_info, }; @@ -4466,7 +4465,6 @@ static int vulkan_transfer_host(AVHWFramesContext *hwfc, AVFrame *hwf, }; VkCopyImageToMemoryInfoEXT copy_info = { .sType = VK_STRUCTURE_TYPE_COPY_IMAGE_TO_MEMORY_INFO_EXT, - .flags = VK_HOST_IMAGE_COPY_MEMCPY_EXT, .regionCount = 1, .pRegions = ®ion_info, }; @@ -4476,6 +4474,7 @@ static int vulkan_transfer_host(AVHWFramesContext *hwfc, AVFrame *hwf, get_plane_wh(&p_w, &p_h, swf->format, swf->width, swf->height, i); region_info.pHostPointer = swf->data[i]; + region_info.memoryRowLength = swf->linesize[i]; region_info.imageSubresource.aspectMask = ff_vk_aspect_flag(hwf, i); region_info.imageExtent = (VkExtent3D){ p_w, p_h, 1 }; copy_info.srcImage = hwf_vk->img[img_idx];