From bcbf3a56303d043b1c74e500772ed73a5ebab759 Mon Sep 17 00:00:00 2001
From: Niklas Haas <git@haasn.dev>
Date: Mon, 25 Nov 2024 14:27:38 +0100
Subject: [PATCH] avfilter/vf_scale: fix off-by-one in loop bounds

Results in over-read of the array. Fortunately, the excess element was
never actually used, but it still triggers ASAN (and could in theory trigger
a segfault).

Fixes: 04ce01df0bb2d66e143bcfcea439afc2a1b8d96e
---
 libavfilter/vf_scale.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c
index 5d1eda1a16..d86e50f79b 100644
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@@ -482,7 +482,7 @@ static int query_formats(const AVFilterContext *ctx,
     formats = ff_all_color_spaces();
     for (int i = 0; i < formats->nb_formats; i++) {
         if (!sws_test_colorspace(formats->formats[i], 0)) {
-            for (int j = i--; j < formats->nb_formats; j++)
+            for (int j = i--; j + 1 < formats->nb_formats; j++)
                 formats->formats[j] = formats->formats[j + 1];
             formats->nb_formats--;
         }
@@ -501,7 +501,7 @@ static int query_formats(const AVFilterContext *ctx,
         formats = ff_all_color_spaces();
         for (int i = 0; i < formats->nb_formats; i++) {
             if (!sws_test_colorspace(formats->formats[i], 1)) {
-                for (int j = i--; j < formats->nb_formats; j++)
+                for (int j = i--; j + 1 < formats->nb_formats; j++)
                     formats->formats[j] = formats->formats[j + 1];
                 formats->nb_formats--;
             }