This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit cbc62ea2c8a4ad2af31d2f10af304a73213a92db Author: David Korczynski <[email protected]> AuthorDate: Thu May 21 05:48:54 2026 -0700 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:41:01 2026 +0200 avcodec/adpcm: require block_align to be a multiple of channels in ADPCM_PSXC init The ADPCM_PSXC block loop in adpcm_decode_frame() (libavcodec/adpcm.c: 2770) iterates 'block < avpkt->size / block_align' times and, for each block, consumes channels * (1 + (block_align - 1) / channels) input bytes via the *unchecked* bytestream2_get_byteu() reader. The loop divides avpkt->size by block_align, so the loop bound is sound only when the per-block consumption equals block_align — i.e. when block_align is an exact multiple of channels. For any other combination (e.g. block_align=9 with channels=8), each block consumes more than block_align bytes; iterating avpkt->size/block_align blocks then walks the input bytestream past avpkt->data + avpkt->size, producing the heap-buffer-overflow READ at libavcodec/bytestream.h:99 reported as ANT-2026-04052. adpcm_decode_init() previously only enforced 'channels > 0' and 'block_align > 0' for PSXC. Tighten the init check to additionally require 'block_align % channels == 0', which is the precise invariant the decode loop depends on. Reproducer: a crafted WAV header declaring channels=8, block_align=9 with the decoder forced via 'ffmpeg -c:a adpcm_psxc -i evil.wav'. Found-by: Anthropic agents; validated and reported by Ada Logics. Signed-off-by: David Korczynski <[email protected]> (cherry picked from commit 6d8f7882ae6e7b7b86697474ee1a3755dfba1858) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/adpcm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index e06aa7606b..6ff3dad613 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -294,7 +294,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) break; case AV_CODEC_ID_ADPCM_PSXC: max_channels = 8; - if (avctx->ch_layout.nb_channels <= 0 || avctx->block_align <= 0) + if (avctx->ch_layout.nb_channels <= 0 || avctx->block_align <= 0 || + avctx->block_align % avctx->ch_layout.nb_channels) return AVERROR_INVALIDDATA; break; case AV_CODEC_ID_ADPCM_IMA_DAT4: _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
