PR #21196 opened by ruikai URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21196 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21196.patch
Regression since: 536475ea05. The JPEG-XS PES path trusted header_size from the payload and advanced pkt->data/pkt->size without validation, so the trailing memset could write out of bounds when header_size > pkt->size. Reject such packets, marking them corrupt and returning an error to avoid the OOB write. Repro (ASan): ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 \ ./ffmpeg -v debug -nostdin -i poc-jpegxs.ts -copy_unknown -map 0 \ -c copy -f null /dev/null Crash in new_pes_packet memset on crafted TS with stream_id 0xbd, stream_type 0x32, header_size 0xFFFFFF00, payload starting with jxes. Found-by: Pwno >From 91385c6417b60d2d609bceb6ccab3da28070a263 Mon Sep 17 00:00:00 2001 From: Ruikai Peng <[email protected]> Date: Sun, 14 Dec 2025 12:26:37 -0500 Subject: [PATCH] avformat/mpegts: bounds-check JPEG-XS header_size before padding Regression since: 536475ea05. The JPEG-XS PES path trusted header_size from the payload and advanced pkt->data/pkt->size without validation, so the trailing memset could write out of bounds when header_size > pkt->size. Reject such packets, marking them corrupt and returning an error to avoid the OOB write. Repro (ASan): ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 ./ffmpeg -v debug -nostdin -i poc-jpegxs.ts -copy_unknown -map 0 -c copy -f null /dev/null Crash in new_pes_packet memset on crafted TS with stream_id 0xbd, stream_type 0x32, header_size 0xFFFFFF00, payload starting with jxes. Found-by: Pwno --- libavformat/mpegts.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index fb1dcd11be..7c19abaf76 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1035,6 +1035,13 @@ static int new_pes_packet(PESContext *pes, AVPacket *pkt) pkt->size >= 8 && memcmp(pkt->data + 4, "jxes", 4) == 0) { uint32_t header_size = AV_RB32(pkt->data); + if (header_size > pkt->size) { + av_log(pes->stream, AV_LOG_WARNING, + "Invalid JPEG-XS header size %"PRIu32" > packet size %d\n", + header_size, pkt->size); + pes->flags |= AV_PKT_FLAG_CORRUPT; + return AVERROR_INVALIDDATA; + } pkt->data += header_size; pkt->size -= header_size; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
