* [FFmpeg-devel] [PATCH] avcodec/fflcms2: reject extended TRCs in ICC generator (PR #21180)
@ 2025-12-12 18:47 ruikai via ffmpeg-devel
0 siblings, 0 replies; only message in thread
From: ruikai via ffmpeg-devel @ 2025-12-12 18:47 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: ruikai
PR #21180 opened by ruikai
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21180
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21180.patch
fflcms2 caches tone curves in an array indexed by
AVColorTransferCharacteristic values up to AVCOL_TRC_NB. After the
introduction of extended transfer characteristics (e.g. Panasonic
V-Log with value 256), get_curve() could be called with such values
and attempt to index s->curves[trc] out of bounds when generating
ICC profiles.
Restrict get_curve() to base TRC values and return
AVERROR_PATCHWELCOME for any transfer characteristic greater than or
equal to AVCOL_TRC_NB. This avoids out-of-bounds accesses for
extended TRCs while leaving the behavior for supported base TRCs
unchanged.
Repro on x86_64 with clang+ASan, lcms2 enabled, at aeb9b19ebc:
ASAN_OPTIONS=detect_leaks=0 ./ffmpeg -v error -f lavfi -i testsrc2=size=16x16:rate=1 -frames:v 1 -vf setparams=color_trc=vlog,iccgen -f null -
This triggers an ASan heap-buffer-overflow in get_curve(), reading
s->curves[256] and reporting roughly 237 * 8 = 1896 bytes of
out-of-bounds heap data before the function returns
AVERROR_PATCHWELCOME for V-Log.
Impact: denial of service via crafted ICC-generation filtergraphs that
use extended transfer characteristics (e.g. setparams=color_trc=vlog
followed by iccgen) on builds with lcms2 and Panasonic V-Log support
enabled.
Regression since: aeb9b19ebc
Found-by: Pwno
>From 53c644e84783e829ff103adbab6b189be733360c Mon Sep 17 00:00:00 2001
From: Ruikai Peng <ruikai@pwno.io>
Date: Fri, 12 Dec 2025 13:44:55 -0500
Subject: [PATCH] avcodec/fflcms2: reject extended TRCs in ICC generator
fflcms2 caches tone curves in an array indexed by
AVColorTransferCharacteristic values up to AVCOL_TRC_NB. After the
introduction of extended transfer characteristics (e.g. Panasonic
V-Log with value 256), get_curve() could be called with such values
and attempt to index s->curves[trc] out of bounds when generating
ICC profiles.
Restrict get_curve() to base TRC values and return
AVERROR_PATCHWELCOME for any transfer characteristic greater than or
equal to AVCOL_TRC_NB. This avoids out-of-bounds accesses for
extended TRCs while leaving the behavior for supported base TRCs
unchanged.
Repro on x86_64 with clang+ASan, lcms2 enabled, at aeb9b19ebc:
ASAN_OPTIONS=detect_leaks=0 ./ffmpeg -v error -f lavfi -i testsrc2=size=16x16:rate=1 -frames:v 1 -vf setparams=color_trc=vlog,iccgen -f null -
This triggers an ASan heap-buffer-overflow in get_curve(), reading
s->curves[256] and reporting roughly 237 * 8 = 1896 bytes of
out-of-bounds heap data before the function returns
AVERROR_PATCHWELCOME for V-Log.
Impact: denial of service via crafted ICC-generation filtergraphs that
use extended transfer characteristics (e.g. setparams=color_trc=vlog
followed by iccgen) on builds with lcms2 and Panasonic V-Log support
enabled.
Regression since: aeb9b19ebc
Found-by: Pwno
---
libavcodec/fflcms2.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/fflcms2.c b/libavcodec/fflcms2.c
index 3c7f3dc07f..1ade9cf298 100644
--- a/libavcodec/fflcms2.c
+++ b/libavcodec/fflcms2.c
@@ -50,7 +50,11 @@ void ff_icc_context_uninit(FFIccContext *s)
static int get_curve(FFIccContext *s, enum AVColorTransferCharacteristic trc,
cmsToneCurve **out_curve)
{
- if ((unsigned)trc < AVCOL_TRC_NB && s->curves[trc])
+ /* Only base TRCs are cached here; extended TRCs aren't supported yet. */
+ if ((unsigned)trc >= AVCOL_TRC_NB)
+ return AVERROR_PATCHWELCOME;
+
+ if (s->curves[trc])
goto done;
switch (trc) {
@@ -125,7 +129,6 @@ static int get_curve(FFIccContext *s, enum AVColorTransferCharacteristic trc,
case AVCOL_TRC_BT1361_ECG:
case AVCOL_TRC_SMPTE2084:
case AVCOL_TRC_ARIB_STD_B67:
- case AVCOL_TRC_V_LOG:
return AVERROR_PATCHWELCOME;
default:
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-12-12 18:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-12-12 18:47 [FFmpeg-devel] [PATCH] avcodec/fflcms2: reject extended TRCs in ICC generator (PR #21180) ruikai via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git