This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 16f89d342e avformat/mpegts: bounds-check JPEG-XS header_size before
padding
16f89d342e is described below
commit 16f89d342ebd5f726a5787e2e00069f339c7b446
Author: Ruikai Peng <[email protected]>
AuthorDate: Sun Dec 14 12:26:37 2025 -0500
Commit: James Almer <[email protected]>
CommitDate: Sun Dec 14 17:42:59 2025 +0000
avformat/mpegts: bounds-check JPEG-XS header_size before padding
Regression since: 536475ea05.
The JPEG-XS PES path trusted header_size from the payload and advanced
pkt->data/pkt->size without validation, so the trailing memset could
write out of bounds when header_size > pkt->size. Reject such packets,
marking them corrupt and returning an error to avoid the OOB write.
Repro (ASan):
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 ./ffmpeg -v debug -nostdin -i
poc-jpegxs.ts -copy_unknown -map 0 -c copy -f null /dev/null
Crash in new_pes_packet memset on crafted TS with stream_id 0xbd,
stream_type 0x32, header_size 0xFFFFFF00, payload starting with jxes.
Found-by: Pwno
---
libavformat/mpegts.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index fb1dcd11be..7c19abaf76 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1035,6 +1035,13 @@ static int new_pes_packet(PESContext *pes, AVPacket *pkt)
pkt->size >= 8 && memcmp(pkt->data + 4, "jxes", 4) == 0)
{
uint32_t header_size = AV_RB32(pkt->data);
+ if (header_size > pkt->size) {
+ av_log(pes->stream, AV_LOG_WARNING,
+ "Invalid JPEG-XS header size %"PRIu32" > packet size %d\n",
+ header_size, pkt->size);
+ pes->flags |= AV_PKT_FLAG_CORRUPT;
+ return AVERROR_INVALIDDATA;
+ }
pkt->data += header_size;
pkt->size -= header_size;
}
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
