PR #21085 opened by oliverchang URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21085 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21085.patch
Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read from the bitstream was not validated against the remaining bytes in the input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size exceeding the actual packet data, leading to an out-of-bounds read. The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is greater than or equal to `header_len - 2` before initializing `gb_hdr`. Fixes: https://issues.oss-fuzz.com/issues/439711053 >From ac7bdf8326e0747758ef1ceb03f4ff8abf225283 Mon Sep 17 00:00:00 2001 From: Oliver Chang <[email protected]> Date: Wed, 3 Dec 2025 02:57:43 +0000 Subject: [PATCH] libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read from the bitstream was not validated against the remaining bytes in the input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size exceeding the actual packet data, leading to an out-of-bounds read. The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is greater than or equal to `header_len - 2` before initializing `gb_hdr`. Fixes: https://issues.oss-fuzz.com/issues/439711053 --- libavcodec/prores_raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c index 01f1bbd2fb..8be566ed36 100644 --- a/libavcodec/prores_raw.c +++ b/libavcodec/prores_raw.c @@ -360,7 +360,7 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; int header_len = bytestream2_get_be16(&gb); - if (header_len < 62) + if (header_len < 62 || bytestream2_get_bytes_left(&gb) < header_len - 2) return AVERROR_INVALIDDATA; GetByteContext gb_hdr; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
