From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 47E5844AE1 for ; Fri, 12 Dec 2025 18:47:41 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'D0zY3vOfofl+8sAcMfuVJtRfNuuS2KIs2wxlG+En9TI=', expected b'YdxtXg2HmNRb1JrdQQilTo/g4E3mWytqaeeUuXbFTbk=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1765565243; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=D0zY3vOfofl+8sAcMfuVJtRfNuuS2KIs2wxlG+En9TI=; b=XTJYxwmya3oNMgODpmMBSIFJxX4JbInF+cLWoRklN70x2Mia8wFaFEf3GFUpiJqkgz2yZ eLGTwCjDQxPiy+M7w2T4+r0PZVPba6vPUxCfQHx+yUIL2VfTlok9f20C6XTT7QQZOJWOqPD dYb6lrYtzxr30rriNJQD8Heu5tjLKCRODRnb2ZCrXGbcrjuw7Wi7aQ/Kiew7pHEdQ0peLP4 5NhVYmfTHD7VmPc6aUflgpoYN+aEx8TKAV22D1TKOVR7Jsu4QjCxkIx0XYXvRm17W3fq28q qnKcpRkW3jRc9pqdLg4JItXa2wYzmjoWbr3QDEzwpgqNudD7ktky+SrIoBaw== Received: from [172.19.0.3] (unknown [172.19.0.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 90AEB690852; Fri, 12 Dec 2025 20:47:23 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1765565229; b=XFPFZ1n0vuXH2xtaqg0y0YMal1qj6v7kv9SBZDUJvVyih4TBBXCZUGiZHehMLQW0+mZ/x vSF7I/qnwXssFCqVVDJv15XIl0yMX4G3QSJSmCzOywlc95hijzIZLx2qQ8l492ooXZ4qYnI +qmVG3HduntfExbXsJlMSKVuZ4IxG0WaUtJf3iM7vBUZNZDSHhHpb70d+F3weAk0UH21teR DkrIamOnFa3C3Fdn7Bnw4eGJwRS4ZDsrJEi0svkHeiGqIKp7iQq9kTa537qPVscB6vSk4BA DgbucHnda6tNUsveNdeUMqMn6t3Oq1Yjd2Ktmx9Ht1gHS5WD5dRX8hcXwSbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1765565229; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=WjM33Wu+QgShSjLiUu+uyy1+gFfZ5yuYl3cnRsACXiQ=; b=UCgjaCzQhkf6pTLS2rZwsSP8ijPngh9HcXKP9UCBKxKQvkvQ08VnInZYML03KPJtowwUy fbAXn1oBAZd6MAc0kauHaOD71BGDIeNM2GnDbQw16h9FpwxyCnn+7mzvz5w5o834/ra5uTn Ax4jCkmJsJTe5axYzOt41D7f1Xm+If8wru2yeEToT5Z5QUr6YpcrPDp4JmUlltC/eK1Vpjb LwHrb+1HbhsnqZ4nF356E1FjBWPEC5Gaehwt+SDSnO+Pf0e1zybkoVixZ95TZlSoRnfTXYL FOI2pevbvGrVl9rkDOMzU2GCWoF066jYpfXFCWuNN9LfwMsD5JjjzF2I2j3g== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1765565222; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=YdxtXg2HmNRb1JrdQQilTo/g4E3mWytqaeeUuXbFTbk=; b=qusa6IZ7etIqPjP9G4QKTqhx9ZaZuUTymAofVGhn3kVYVftE8I9CQ/BWJ2RZhD8I6iKuO 3EOoPTxOzNpszrizVgNvJXc2Q/tsuauaIMZL6p/L6U4pevDQ45wm/n6uztbahuumo/JvKCd QTN7MqsOlhudsHCFYELLC4Ilj55RXM6uN201J9TLIFBuiL/lRCFhrDW4eopY3X6N7AVtq28 txtouh5XTVNMBiD2zjV894Vp40+TZ5HW+h0A6MVaWzubST0z9x47Q+2fW04CBnGQu+bYhaJ uJGeQBRvnGS6dQQWuNbmjVqKXo6ywPf6+iYlaHmZOppnTdUgje4ouGMH2a3A== Received: from 55ca25703178 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 1E932690767 for ; Fri, 12 Dec 2025 20:47:02 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Fri, 12 Dec 2025 18:47:01 -0000 Message-ID: <176556522229.39.3080700655228629119@2cb04c0e5124> Message-ID-Hash: TBTRY4SS2YURJJ4ZSSDTUPSFIAGCVP43 X-Message-ID-Hash: TBTRY4SS2YURJJ4ZSSDTUPSFIAGCVP43 X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avcodec/fflcms2: reject extended TRCs in ICC generator (PR #21180) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: ruikai via ffmpeg-devel Cc: ruikai Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21180 opened by ruikai URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21180 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21180.patch fflcms2 caches tone curves in an array indexed by AVColorTransferCharacteristic values up to AVCOL_TRC_NB. After the introduction of extended transfer characteristics (e.g. Panasonic V-Log with value 256), get_curve() could be called with such values and attempt to index s->curves[trc] out of bounds when generating ICC profiles. Restrict get_curve() to base TRC values and return AVERROR_PATCHWELCOME for any transfer characteristic greater than or equal to AVCOL_TRC_NB. This avoids out-of-bounds accesses for extended TRCs while leaving the behavior for supported base TRCs unchanged. Repro on x86_64 with clang+ASan, lcms2 enabled, at aeb9b19ebc: ASAN_OPTIONS=detect_leaks=0 ./ffmpeg -v error -f lavfi -i testsrc2=size=16x16:rate=1 -frames:v 1 -vf setparams=color_trc=vlog,iccgen -f null - This triggers an ASan heap-buffer-overflow in get_curve(), reading s->curves[256] and reporting roughly 237 * 8 = 1896 bytes of out-of-bounds heap data before the function returns AVERROR_PATCHWELCOME for V-Log. Impact: denial of service via crafted ICC-generation filtergraphs that use extended transfer characteristics (e.g. setparams=color_trc=vlog followed by iccgen) on builds with lcms2 and Panasonic V-Log support enabled. Regression since: aeb9b19ebc Found-by: Pwno >>From 53c644e84783e829ff103adbab6b189be733360c Mon Sep 17 00:00:00 2001 From: Ruikai Peng Date: Fri, 12 Dec 2025 13:44:55 -0500 Subject: [PATCH] avcodec/fflcms2: reject extended TRCs in ICC generator fflcms2 caches tone curves in an array indexed by AVColorTransferCharacteristic values up to AVCOL_TRC_NB. After the introduction of extended transfer characteristics (e.g. Panasonic V-Log with value 256), get_curve() could be called with such values and attempt to index s->curves[trc] out of bounds when generating ICC profiles. Restrict get_curve() to base TRC values and return AVERROR_PATCHWELCOME for any transfer characteristic greater than or equal to AVCOL_TRC_NB. This avoids out-of-bounds accesses for extended TRCs while leaving the behavior for supported base TRCs unchanged. Repro on x86_64 with clang+ASan, lcms2 enabled, at aeb9b19ebc: ASAN_OPTIONS=detect_leaks=0 ./ffmpeg -v error -f lavfi -i testsrc2=size=16x16:rate=1 -frames:v 1 -vf setparams=color_trc=vlog,iccgen -f null - This triggers an ASan heap-buffer-overflow in get_curve(), reading s->curves[256] and reporting roughly 237 * 8 = 1896 bytes of out-of-bounds heap data before the function returns AVERROR_PATCHWELCOME for V-Log. Impact: denial of service via crafted ICC-generation filtergraphs that use extended transfer characteristics (e.g. setparams=color_trc=vlog followed by iccgen) on builds with lcms2 and Panasonic V-Log support enabled. Regression since: aeb9b19ebc Found-by: Pwno --- libavcodec/fflcms2.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/fflcms2.c b/libavcodec/fflcms2.c index 3c7f3dc07f..1ade9cf298 100644 --- a/libavcodec/fflcms2.c +++ b/libavcodec/fflcms2.c @@ -50,7 +50,11 @@ void ff_icc_context_uninit(FFIccContext *s) static int get_curve(FFIccContext *s, enum AVColorTransferCharacteristic trc, cmsToneCurve **out_curve) { - if ((unsigned)trc < AVCOL_TRC_NB && s->curves[trc]) + /* Only base TRCs are cached here; extended TRCs aren't supported yet. */ + if ((unsigned)trc >= AVCOL_TRC_NB) + return AVERROR_PATCHWELCOME; + + if (s->curves[trc]) goto done; switch (trc) { @@ -125,7 +129,6 @@ static int get_curve(FFIccContext *s, enum AVColorTransferCharacteristic trc, case AVCOL_TRC_BT1361_ECG: case AVCOL_TRC_SMPTE2084: case AVCOL_TRC_ARIB_STD_B67: - case AVCOL_TRC_V_LOG: return AVERROR_PATCHWELCOME; default: -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org