From: Benedict <[email protected]>
Date: Tue, 6 May2026
Summary:
Add a bounds check for nb_index_entries in jvdec.c before allocating
index_entries and frames arrays. This aligns with similar validation
present in other demuxers (e.g., rl2.c) and improves robustness when
handling malformed input.
Details:
In read_header(), nb_index_entries is read from the input file and
used directly in allocation expressions:
av_malloc(nb_index_entries * sizeof(AVIndexEntry));
av_malloc(nb_index_entries * sizeof(JVFrame)));
Adding a validation check ensures consistency with other demuxers and
prevents potential overflow scenarios on constrained platforms.
Proposed fix:
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -95,6 +95,12 @@ static int read_header(AVFormatContext *s)
vst->duration =
vst->nb_frames =
asti->nb_index_entries = avio_rl16(pb);
+
+ /* Validate nb_index_entries to prevent excessive allocation */
+ if (asti->nb_index_entries > INT_MAX / sizeof(AVIndexEntry) ||
+ asti->nb_index_entries > INT_MAX / sizeof(JVFrame)) {
+ return AVERROR_INVALIDDATA;
+ }
avpriv_set_pts_info(vst, 64, avio_rl16(pb), 1000);
avio_skip(pb, 4);
Rationale:
- Improves consistency with rl2.c and similar parsers
- Adds defensive validation against malformed input
- No impact on valid files
Signed-off-by: Benedict <[email protected]>
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
