tor 2026-05-21 klockan 19:23 +0000 skrev michaelni via ffmpeg-devel: > PR #23194 opened by michaelni > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23194 > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23194.patch > > Found-by: Calm (AI security-research agent, for John Bradley / > Credex) > > > > From c2ea987aa09032ab496da581858d844bb2ad6071 Mon Sep 17 00:00:00 > > 2001 > From: Michael Niedermayer <[email protected]> > Date: Thu, 21 May 2026 06:28:15 +0200 > Subject: [PATCH] avformat/mxfdec: zero-init Sony MPEG-4 extradata and > add > padding > > Found-by: Calm (AI security-research agent, for John Bradley / > Credex) > --- > libavformat/mxfdec.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > index a5a8417487..58ea0bbca5 100644 > --- a/libavformat/mxfdec.c > +++ b/libavformat/mxfdec.c > @@ -1438,12 +1438,12 @@ static int mxf_read_generic_descriptor(void > *arg, AVIOContext *pb, int tag, int > break; > default: > /* Private uid used by SONY C0023S01.mxf */ > - if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) { > + if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata) && size <= > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
Did the "AI" tell you to add this useless check? All descriptors we support use 2-byte lengths due to byte 5 of the UID being 0x53, and I'm reasonably sure we assume int is >= 32 bits. See section 9.3 of S377m > if (descriptor->extradata) > av_log(NULL, AV_LOG_WARNING, "Duplicate > sony_mpeg4_extradata\n"); > av_free(descriptor->extradata); > descriptor->extradata_size = 0; > - descriptor->extradata = av_malloc(size); > + descriptor->extradata = av_mallocz(size + > AV_INPUT_BUFFER_PADDING_SIZE); Adding padding is fine /Tomas _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
