From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: michaelni <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] avcodec/exr: use tile dimensions in pxr24 UINT case (PR #20821)
Date: Sun, 02 Nov 2025 21:24:39 -0000
Message-ID: <176211868017.25.6189078689818336239@2cb04c0e5124> (raw)
PR #20821 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20821
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20821.patch
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <veyga@veygax.dev>
>From 60657f201e11532457863a9ce90b2198937fb96c Mon Sep 17 00:00:00 2001
From: veygax <veyga@veygax.dev>
Date: Sun, 2 Nov 2025 02:35:40 +0000
Subject: [PATCH] avcodec/exr: use tile dimensions in pxr24 UINT case
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <veyga@veygax.dev>
---
libavcodec/exr.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c83325aa52..733ad76316 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -745,12 +745,12 @@ static int pxr24_uncompress(const EXRContext *s, const uint8_t *src,
break;
case EXR_UINT:
ptr[0] = in;
- ptr[1] = ptr[0] + s->xdelta;
- ptr[2] = ptr[1] + s->xdelta;
- ptr[3] = ptr[2] + s->xdelta;
- in = ptr[3] + s->xdelta;
+ ptr[1] = ptr[0] + td->xsize;
+ ptr[2] = ptr[1] + td->xsize;
+ ptr[3] = ptr[2] + td->xsize;
+ in = ptr[3] + td->xsize;
- for (j = 0; j < s->xdelta; ++j) {
+ for (j = 0; j < td->xsize; ++j) {
uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
(*(ptr[1]++) << 16) |
(*(ptr[2]++) << 8 ) |
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2025-11-02 21:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=176211868017.25.6189078689818336239@2cb04c0e5124 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git