This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit 5d142f8dc3dced0cecb87d9a3ddd66d1000719b7 Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Thu Apr 23 02:47:11 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 19:27:35 2026 +0200 avformat/avidec: validate INFO list size before parsing Reject INFO list chunks that are too small to contain the expected 4-byte list type field before calling ff_read_riff_info(). The parser subtracts 4 from the list size when handing the remaining payload to ff_read_riff_info(). If the chunk is smaller than 4 bytes, that underflows the expected structure and should be treated as invalid input. Fixes: DFVULN-607 *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* (cherry picked from commit f1c3f1cae1bbe51d61fea461954b70882c3800ff) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/avidec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 3b72f93265..fd1ecfcf9e 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -545,9 +545,11 @@ static int avi_read_header(AVFormatContext *s) avi->movi_end = avi->fsize; av_log(s, AV_LOG_TRACE, "movi end=%"PRIx64"\n", avi->movi_end); goto end_of_header; - } else if (tag1 == MKTAG('I', 'N', 'F', 'O')) + } else if (tag1 == MKTAG('I', 'N', 'F', 'O')) { + if (size < 4) + return AVERROR_INVALIDDATA; ff_read_riff_info(s, size - 4); - else if (tag1 == MKTAG('n', 'c', 'd', 't')) + } else if (tag1 == MKTAG('n', 'c', 'd', 't')) avi_read_nikon(s, list_end); break; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
