Hi Kieran On Fri, Mar 13, 2026 at 05:27:08PM +0000, Kieran Kunhya via ffmpeg-devel wrote: > On Thu, Mar 12, 2026 at 10:49 PM michaelni via ffmpeg-devel > <[email protected]> wrote: > > > > PR #22487 opened by michaelni > > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22487 > > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22487.patch > > > > Fixes: out of array read with --disable-safe-bitstream-reader > > Fixes: poc_wmv2.avi > > > > Note, this requires the safe bitstream reader to be turned off by the user > > and the user disregarding the security warning > > > > Change suggested by: Guanni Qu <[email protected]> > > Found-by: Guanni Qu <[email protected]> > > Signed-off-by: Michael Niedermayer <[email protected]> > > > > > > >From dd5a5141f224a9ad7fcdae3cc467c9872c44b70a Mon Sep 17 00:00:00 2001 > > From: Michael Niedermayer <[email protected]> > > Date: Thu, 12 Mar 2026 22:58:18 +0100 > > Subject: [PATCH] avcodec/wmv2dec: More Checks about reading skip bits > > > > Fixes: out of array read with --disable-safe-bitstream-reader > > Fixes: poc_wmv2.avi > > > > Note, this requires the safe bitstream reader to be turned off by the user > > and the user disregarding the security warning > > > > Change suggested by: Guanni Qu <[email protected]> > > Found-by: Guanni Qu <[email protected]> > > Signed-off-by: Michael Niedermayer <[email protected]> > > --- > > libavcodec/wmv2dec.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c > > index 22b9b15e44..8a3239fe7a 100644 > > --- a/libavcodec/wmv2dec.c > > +++ b/libavcodec/wmv2dec.c > > @@ -343,6 +343,8 @@ static int parse_mb_skip(WMV2DecContext *w) > > mb_type[mb_y * h->c.mb_stride + mb_x] = > > MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV; > > } else { > > + if (get_bits_left(&h->gb) < h->c.mb_width) > > + return AVERROR_INVALIDDATA; > > for (int mb_x = 0; mb_x < h->c.mb_width; mb_x++) > > mb_type[mb_y * h->c.mb_stride + mb_x] = > > (get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | > > MB_TYPE_16x16 | MB_TYPE_FORWARD_MV; > > @@ -358,6 +360,8 @@ static int parse_mb_skip(WMV2DecContext *w) > > mb_type[mb_y * h->c.mb_stride + mb_x] = > > MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV; > > } else { > > + if (get_bits_left(&h->gb) < h->c.mb_height) > > + return AVERROR_INVALIDDATA; > > for (int mb_y = 0; mb_y < h->c.mb_height; mb_y++) > > mb_type[mb_y * h->c.mb_stride + mb_x] = > > (get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | > > MB_TYPE_16x16 | MB_TYPE_FORWARD_MV; > > -- > > 2.52.0 > > I don't think we should allow reports specific to that option and have
I didnt see your reply as forgejo doesnt parse replies from the ML. And iam not checking both web and ML by hand for every pull request But i agree with what you say > random get_bits_left() checks everywhere as a result. I think these specific 2 checks are within the range of checks we have added elsewhere and previously thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If you fake or manipulate statistics in a paper in physics you will never get a job again. If you fake or manipulate statistics in a paper in medicin you will get a job for life at the pharma industry.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
