PR #22488 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22488 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22488.patch
Fixes: out of array access Fixes: poc_matroska.mkv This issue requires manually increasing the malloc limit (-max_alloc 4294967296) Found-by: Guanni Qu <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> >From 6efa8c6c6e93906cbb2ef390e4cd4218c4203d48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Thu, 12 Mar 2026 23:25:17 +0100 Subject: [PATCH] avformat/matroskadec: Check audio.sub_packet_h * audio.frame_size Fixes: out of array access Fixes: poc_matroska.mkv This issue requires manually increasing the malloc limit (-max_alloc 4294967296) Found-by: Guanni Qu <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index ea57692e85..d544a533ff 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2763,6 +2763,8 @@ static int mka_parse_audio_codec(MatroskaTrack *track, AVCodecParameters *par, track->audio.sub_packet_h <= 0 || track->audio.frame_size <= 0) return AVERROR_INVALIDDATA; + if (track->audio.sub_packet_h * (unsigned)track->audio.frame_size > (1<<24)) + return AVERROR_INVALIDDATA; if (par->codec_id == AV_CODEC_ID_RA_288) { if (track->audio.sub_packet_h & 1 || 2 * track->audio.frame_size -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
