This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new e7cbfd1c50 avcodec/lcldec: zero the not-decoded tail to avoid heap 
disclosure
e7cbfd1c50 is described below

commit e7cbfd1c507b57a806a5825b87d609963e862c8c
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Sun Jun 28 19:04:07 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Sun Jul 5 00:08:36 2026 +0000

    avcodec/lcldec: zero the not-decoded tail to avoid heap disclosure
    
    Fixes: use of uninitialized memory
    Fixes: CsNDKB1K1U0C
    Fixes: e2c3aa8e2b (avcodec/lcldec: More space for rgb24)
    Found-by: Adrian Junge (vurlo)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/lcldec.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
index 29b1d85be3..5023243017 100644
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -120,6 +120,9 @@ static unsigned int mszh_decomp(const unsigned char * 
srcptr, int srclen, unsign
         }
     }
 
+    if (destptr < destptr_end)
+        memset(destptr, 0, destptr_end - destptr);
+
     return destptr - destptr_bak;
 }
 
@@ -153,8 +156,11 @@ static int zlib_decomp(AVCodecContext *avctx, const 
uint8_t *src, int src_len, i
     if (expected != (unsigned int)zstream->total_out) {
         av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n",
                expected, zstream->total_out);
-        if (expected > (unsigned int)zstream->total_out)
+        if (expected > (unsigned int)zstream->total_out) {
+            memset(c->decomp_buf + offset + zstream->total_out, 0,
+                   c->decomp_size - offset - zstream->total_out);
             return (unsigned int)zstream->total_out;
+        }
         return AVERROR_UNKNOWN;
     }
     return zstream->total_out;

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to