[FFmpeg-devel] [PR] avcodec/mjpegdec: avoid negative len in APP parser (PR #21401)

Tue, 06 Jan 2026 17:29:44 -0800 

PR #21401 opened by ruikai
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21401
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21401.patch

The APP parser can read a fixed number of bytes without checking len,
making len negative and passing it to bytestream2_skipu(), which takes
an unsigned size. This can advance the buffer by a huge amount and
results in undefined behavior.

Add small len guards in the fixed-size AVI1/LJIF paths and only skip
the tail if len > 0.


>From 78b4d1317d48d4c94994a961fe47b62463304da0 Mon Sep 17 00:00:00 2001
From: retr0reg <[email protected]>
Date: Tue, 6 Jan 2026 20:27:21 -0500
Subject: [PATCH] avcodec/mjpegdec: avoid negative len in APP parser

The APP parser can read a fixed number of bytes without checking len,
making len negative and passing it to bytestream2_skipu(), which takes
an unsigned size. This can advance the buffer by a huge amount and
results in undefined behavior.

Add small len guards in the fixed-size AVI1/LJIF paths and only skip
the tail if len > 0.
---
 libavcodec/mjpegdec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 417cedae4a..092bc3c2ff 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1905,6 +1905,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
             4bytes      field_size_less_padding
         */
             s->buggy_avid = 1;
+        if (len < 1)
+            goto out;
         i = bytestream2_get_byteu(&s->gB); len--;
         av_log(s->avctx, AV_LOG_DEBUG, "polarity %d\n", i);
         goto out;
@@ -1969,6 +1971,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
         if (s->avctx->debug & FF_DEBUG_PICT_INFO)
             av_log(s->avctx, AV_LOG_INFO,
                    "Pegasus lossless jpeg header found\n");
+        if (len < 9)
+            goto out;
         bytestream2_skipu(&s->gB, 2); /* version ? */
         bytestream2_skipu(&s->gB, 2); /* unknown always 0? */
         bytestream2_skipu(&s->gB, 2); /* unknown always 0? */
@@ -2163,7 +2167,7 @@ out:
     if (len < 0)
         av_log(s->avctx, AV_LOG_ERROR,
                "mjpeg: error, decode_app parser read over the end\n");
-    if (len)
+    if (len > 0)
         bytestream2_skipu(&s->gB, len);
 
     return 0;
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to