PR #23573 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23573 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23573.patch
Fixes: out of array access Fixes: nelly.avi / gen_nelly_overflow.py Fixes: pgc86PfE7ZpA Fixes: 0eea21294354 (Add avcodec_decode_audio4().) Signed-off-by: Michael Niedermayer <[email protected]> >From 42e186c25fd1369b10449993770574c87265edb9 Mon Sep 17 00:00:00 2001 From: Marco Reimann <[email protected]> Date: Tue, 23 Jun 2026 04:14:59 +0200 Subject: [PATCH] avcodec/nellymoserdec: Check block count to avoid integer overflow Fixes: out of array access Fixes: nelly.avi / gen_nelly_overflow.py Fixes: pgc86PfE7ZpA Fixes: 0eea21294354 (Add avcodec_decode_audio4().) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/nellymoserdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/nellymoserdec.c b/libavcodec/nellymoserdec.c index 36477173ff..7037d6b0ba 100644 --- a/libavcodec/nellymoserdec.c +++ b/libavcodec/nellymoserdec.c @@ -156,8 +156,8 @@ static int decode_tag(AVCodecContext *avctx, AVFrame *frame, blocks = buf_size / NELLY_BLOCK_LEN; - if (blocks <= 0) { - av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + if (blocks <= 0 || blocks > INT_MAX / NELLY_SAMPLES) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small or too large\n"); return AVERROR_INVALIDDATA; } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
