[FFmpeg-devel] [PR] avformat/flvdec: Check *size in cts parsing (PR #21744)

Thu, 12 Feb 2026 17:01:17 -0800 

PR #21744 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21744
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21744.patch

Fixes: Assertion buf_size >= 0 failed
Fixes: 
471553942/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5982849812725760

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>


>From 1a9d949b2690f4419c55055f528e378c68526d4f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Thu, 12 Feb 2026 23:10:32 +0100
Subject: [PATCH] avformat/flvdec: Check *size in cts parsing

Fixes: Assertion buf_size >= 0 failed
Fixes: 
471553942/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5982849812725760

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/flvdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index d10fbf216e..18bdbd18bd 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -1775,6 +1775,10 @@ retry_duration:
             if (st->codecpar->codec_id == AV_CODEC_ID_MPEG4 ||
                 ((st->codecpar->codec_id == AV_CODEC_ID_H264 || 
st->codecpar->codec_id == AV_CODEC_ID_HEVC) &&
                  (!enhanced_flv || type == PacketTypeCodedFrames))) {
+                if (size < 3 || track_size < 3) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto leave;
+                }
                 // sign extension
                 int32_t cts = (avio_rb24(s->pb) + 0xff800000) ^ 0xff800000;
                 pts = av_sat_add64(dts, cts);
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to