PR #21551 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21551 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21551.patch
Fixes: out of array read Fixes: VULN-6/poc.raw Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer <[email protected]> >From a2d94c8f0a569c682fe98eae4d359c0e00155713 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 23 Jan 2026 00:34:56 +0100 Subject: [PATCH] avformat/img2enc: Check split planes packet size Fixes: out of array read Fixes: VULN-6/poc.raw Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/img2enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/img2enc.c b/libavformat/img2enc.c index 62ec5be64b..b11f62d85d 100644 --- a/libavformat/img2enc.c +++ b/libavformat/img2enc.c @@ -217,6 +217,11 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) ysize *= 2; usize *= 2; } + if (ysize + 2*usize + (desc->nb_components > 3) * ysize > pkt->size) { + ret = AVERROR(EINVAL); + goto fail; + } + if ((ret = write_and_close(s, &pb[0], pkt->data , ysize)) < 0 || (ret = write_and_close(s, &pb[1], pkt->data + ysize , usize)) < 0 || (ret = write_and_close(s, &pb[2], pkt->data + ysize + usize, usize)) < 0) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
