Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
* [FFmpeg-devel] [PATCH] libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame (PR #21085)
@ 2025-12-03  3:18 oliverchang via ffmpeg-devel
  2025-12-07 23:53 ` [FFmpeg-devel] " Kieran Kunhya via ffmpeg-devel
  0 siblings, 1 reply; 2+ messages in thread
From: oliverchang via ffmpeg-devel @ 2025-12-03  3:18 UTC (permalink / raw)
  To: ffmpeg-devel; +Cc: oliverchang

PR #21085 opened by oliverchang
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21085
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21085.patch

Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read
from the bitstream was not validated against the remaining bytes in the
input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size
exceeding the actual packet data, leading to an out-of-bounds read.

The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is
greater than or equal to `header_len - 2` before initializing `gb_hdr`.

Fixes: https://issues.oss-fuzz.com/issues/439711053


>From ac7bdf8326e0747758ef1ceb03f4ff8abf225283 Mon Sep 17 00:00:00 2001
From: Oliver Chang <ochang@google.com>
Date: Wed, 3 Dec 2025 02:57:43 +0000
Subject: [PATCH] libavcodec/prores_raw: Fix heap-buffer-overflow in
 decode_frame

Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read
from the bitstream was not validated against the remaining bytes in the
input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size
exceeding the actual packet data, leading to an out-of-bounds read.

The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is
greater than or equal to `header_len - 2` before initializing `gb_hdr`.

Fixes: https://issues.oss-fuzz.com/issues/439711053
---
 libavcodec/prores_raw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c
index 01f1bbd2fb..8be566ed36 100644
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -360,7 +360,7 @@ static int decode_frame(AVCodecContext *avctx,
         return AVERROR_INVALIDDATA;
 
     int header_len = bytestream2_get_be16(&gb);
-    if (header_len < 62)
+    if (header_len < 62 || bytestream2_get_bytes_left(&gb) < header_len - 2)
         return AVERROR_INVALIDDATA;
 
     GetByteContext gb_hdr;
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-12-07 23:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-12-03  3:18 [FFmpeg-devel] [PATCH] libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame (PR #21085) oliverchang via ffmpeg-devel
2025-12-07 23:53 ` [FFmpeg-devel] " Kieran Kunhya via ffmpeg-devel

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git