PR #22491 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22491 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22491.patch
Fixes: out of array writes Fixes: 492054712/clusterfuzz-testcase-minimized-ffmpeg_BSF_EXTRACT_EXTRADATA_fuzzer-5705993148497920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From 1d5b3cd0c89eed79d362770928bcf04a4da9809a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 13 Mar 2026 02:11:20 +0100 Subject: [PATCH] avcodec/bsf/extract_extradata: Replace incorrect size accounting Fixes: out of array writes Fixes: 492054712/clusterfuzz-testcase-minimized-ffmpeg_BSF_EXTRACT_EXTRADATA_fuzzer-5705993148497920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/bsf/extract_extradata.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/libavcodec/bsf/extract_extradata.c b/libavcodec/bsf/extract_extradata.c index 51879b0f85..1532eb6a7d 100644 --- a/libavcodec/bsf/extract_extradata.c +++ b/libavcodec/bsf/extract_extradata.c @@ -396,14 +396,10 @@ static int extract_extradata_lcevc(AVBSFContext *ctx, AVPacket *pkt, return AVERROR(ENOMEM); } - *data = extradata; - *size = 0; - bytestream2_init_writer(&pb_extradata, extradata, extradata_size); if (s->remove) bytestream2_init_writer(&pb_filtered_data, filtered_buf->data, filtered_size); - filtered_size = 0; for (i = 0; i < s->h2645_pkt.nb_nals; i++) { H2645NAL *nal = &s->h2645_pkt.nals[i]; if (val_in_array(extradata_nal_types, nb_extradata_nal_types, @@ -411,33 +407,34 @@ static int extract_extradata_lcevc(AVBSFContext *ctx, AVPacket *pkt, bytestream2_put_be24(&pb_extradata, 1); //startcode ret = write_lcevc_nalu(ctx, &pb_extradata, nal, 0); if (ret < 0) { - av_freep(data); + av_freep(&extradata); av_buffer_unref(&filtered_buf); return ret; } - *size += ret; if (s->remove) { bytestream2_put_be24(&pb_filtered_data, 1); //startcode ret = write_lcevc_nalu(ctx, &pb_filtered_data, nal, 1); if (ret < 0) { - av_freep(data); + av_freep(&extradata); av_buffer_unref(&filtered_buf); return ret; } - filtered_size += ret; } } else if (s->remove) { bytestream2_put_be24(&pb_filtered_data, 1); //startcode bytestream2_put_bufferu(&pb_filtered_data, nal->raw_data, nal->raw_size); - filtered_size += nal->raw_size; } } + *data = extradata; + *size = bytestream2_tell_p(&pb_extradata); + av_assert0(*size <= extradata_size); if (s->remove) { + av_assert0(bytestream2_tell_p(&pb_filtered_data) <= filtered_size); av_buffer_unref(&pkt->buf); pkt->buf = filtered_buf; pkt->data = filtered_buf->data; - pkt->size = filtered_size; + pkt->size = bytestream2_tell_p(&pb_filtered_data); } } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
