PR #21453 opened by Manuel Lauss (mlauss2) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21453 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21453.patch
Fix the required size calculation to avoid a source buffer overread. Reported-by: Ruikai Peng <[email protected]> Signed-off-by: Manuel Lauss <[email protected]> >From 18eb00a038567709d31160d80701ad8915818bdc Mon Sep 17 00:00:00 2001 From: Manuel Lauss <[email protected]> Date: Tue, 13 Jan 2026 21:21:42 +0100 Subject: [PATCH] avcodec/sanm: fix BL16 c1/7 source overread Fix the required size calculation. Reported-by: Ruikai Peng <[email protected]> Signed-off-by: Manuel Lauss <[email protected]> --- libavcodec/sanm.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 771ecf8246..fc07ec659c 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -2272,15 +2272,15 @@ static inline uint16_t bl16_c1_avg_col(uint16_t c1, uint16_t c2) */ static int bl16_decode_1(SANMVideoContext *ctx) { - uint16_t hh, hw, c1, c2, *dst1, *dst2; - - if (bytestream2_get_bytes_left(&ctx->gb) < ((ctx->width * ctx->height) / 2)) - return AVERROR_INVALIDDATA; + uint16_t hh, hw, hw1, c1, c2, *dst1, *dst2; hh = (ctx->height + 1) >> 1; + hw1 = (ctx->width - 1) >> 1; + if (!hw1 || (bytestream2_get_bytes_left(&ctx->gb) < (hh * hw1 * 2))) + return AVERROR_INVALIDDATA; dst1 = (uint16_t *)ctx->frm0 + ctx->pitch; /* start with line 1 */ while (hh--) { - hw = (ctx->width - 1) >> 1; + hw = hw1; c1 = bytestream2_get_le16u(&ctx->gb); dst1[0] = c1; dst1[1] = c1; @@ -2599,15 +2599,15 @@ static int bl16_decode_6(SANMVideoContext *ctx) */ static int bl16_decode_7(SANMVideoContext *ctx) { - uint16_t hh, hw, c1, c2, *dst1, *dst2; - - if (bytestream2_get_bytes_left(&ctx->gb) < ((ctx->width * ctx->height) / 4)) - return AVERROR_INVALIDDATA; + uint16_t hh, hw, hw1, c1, c2, *dst1, *dst2; hh = (ctx->height + 1) >> 1; + hw1 = (ctx->width - 1) >> 1; + if (!hw1 || (bytestream2_get_bytes_left(&ctx->gb) < (hh * hw1))) + return AVERROR_INVALIDDATA; dst1 = (uint16_t *)ctx->frm0 + ctx->pitch; /* start with line 1 */ while (hh--) { - hw = (ctx->width - 1) >> 1; + hw = hw1; c1 = ctx->codebook[bytestream2_get_byteu(&ctx->gb)]; dst1[0] = c1; /* leftmost 2 pixels of a row are identical */ dst1[1] = c1; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
