On Thu, Mar 12, 2026 at 10:49 PM michaelni via ffmpeg-devel <[email protected]> wrote: > > PR #22487 opened by michaelni > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22487 > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22487.patch > > Fixes: out of array read with --disable-safe-bitstream-reader > Fixes: poc_wmv2.avi > > Note, this requires the safe bitstream reader to be turned off by the user > and the user disregarding the security warning > > Change suggested by: Guanni Qu <[email protected]> > Found-by: Guanni Qu <[email protected]> > Signed-off-by: Michael Niedermayer <[email protected]> > > > >From dd5a5141f224a9ad7fcdae3cc467c9872c44b70a Mon Sep 17 00:00:00 2001 > From: Michael Niedermayer <[email protected]> > Date: Thu, 12 Mar 2026 22:58:18 +0100 > Subject: [PATCH] avcodec/wmv2dec: More Checks about reading skip bits > > Fixes: out of array read with --disable-safe-bitstream-reader > Fixes: poc_wmv2.avi > > Note, this requires the safe bitstream reader to be turned off by the user > and the user disregarding the security warning > > Change suggested by: Guanni Qu <[email protected]> > Found-by: Guanni Qu <[email protected]> > Signed-off-by: Michael Niedermayer <[email protected]> > --- > libavcodec/wmv2dec.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c > index 22b9b15e44..8a3239fe7a 100644 > --- a/libavcodec/wmv2dec.c > +++ b/libavcodec/wmv2dec.c > @@ -343,6 +343,8 @@ static int parse_mb_skip(WMV2DecContext *w) > mb_type[mb_y * h->c.mb_stride + mb_x] = > MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV; > } else { > + if (get_bits_left(&h->gb) < h->c.mb_width) > + return AVERROR_INVALIDDATA; > for (int mb_x = 0; mb_x < h->c.mb_width; mb_x++) > mb_type[mb_y * h->c.mb_stride + mb_x] = > (get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | > MB_TYPE_16x16 | MB_TYPE_FORWARD_MV; > @@ -358,6 +360,8 @@ static int parse_mb_skip(WMV2DecContext *w) > mb_type[mb_y * h->c.mb_stride + mb_x] = > MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV; > } else { > + if (get_bits_left(&h->gb) < h->c.mb_height) > + return AVERROR_INVALIDDATA; > for (int mb_y = 0; mb_y < h->c.mb_height; mb_y++) > mb_type[mb_y * h->c.mb_stride + mb_x] = > (get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | > MB_TYPE_16x16 | MB_TYPE_FORWARD_MV; > -- > 2.52.0
I don't think we should allow reports specific to that option and have random get_bits_left() checks everywhere as a result. Kieran _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
