From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id D42764D1E3
	for <ffmpegdev@gitmailbox.com>; Sun, 14 Dec 2025 17:31:32 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'ak9oZp1/WJzxi3JwO9LuKXGQmv0zh7k//QW32RYW0Jg=', expected 
   b'WsV9rZkNAyxn/T4yQ8rraZ4G9RjR1m30A2/GtPNHAj4=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1765733482; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=ak9oZp1/WJzxi3JwO9LuKXGQmv0zh7k//QW32RYW0Jg=;
 b=I6Fl2bANKHobQFUp9u8ZYx36naC1mdzfp19qCwiq99YLvtwSYdhVILXRwhVVo4hl6s0XK
 ZwW45JwXrQtT7JKg+9wawjwwGOK7IAkk/U/o11uNzpLf0LlFSPY+E+g8hXfsJ/2/BOPQheQ
 U0rGx2m4qD8jPwaZW1wgcf9eEaC8rFUZuv/3qTRZB2ImYBoMgMKby1ggbPO0O7VunZRL3Gv
 nU1mScuUbvUys+ZiDQRnCw2dCH0gd2YFDpP3R331DCrV1nZIHzxYCS/ezQ/taIJOEsq1DGP
 O2CV1UFM9VoifPRrfMX17qTWX/drBbk0OH+K/oYnPqysGCDPvVebtBbqPPAw==
Received: from [172.20.0.2] (unknown [172.19.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 0D50269085C;
	Sun, 14 Dec 2025 19:31:22 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1765733473;
 b=OJp+hNtc4/wjDxIXfBGz8ton8NwOyrQ4/J/kRWtCkdXrER45biPyGFaU1vx/iff7m0QZo
 hlSwvGOCMvEVlKm9fYgJjsI4UhUMC/ZPv+CgOLuAFmtOUBxCH2ngCNNcyKwiGd6Heao+zEL
 aPjuagLgdWuLckq0buXRSVq4sYINmx+noET8uLDQwk2OdCWe38SZaq/elC5JbIn/HDwhswh
 WeWaPhhCSrNiCiqs7yMOaC+1j6jhWlh0Oas4NiZqWRW11smPJAsCpL3ZyZGZR053BDjL2rp
 vo5rquC4koy7TEtO4ME03wMTLLVrktsxe8fjfMyR8Ol9JsyV8Ybm/R+1x4XA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1765733473; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=ZrIdA8qTlG3dR342nUwdUEpaoylpEKVV+DuoXJHIGr0=;
 b=BUfy/wFuG5JOpbDC5cuPTNU2jFsw7HKoxIclP5/QG86CfcZVhJpXcFuYhK0lcptzUuU8T
 USp8oX6Z+ntDDkklSWAYJR6+XIZvIWSn1IL/BFUiDkB3WE6j+D2QyYZV/OW9d1CC4nZGRzV
 5OEetPM+jpdd3T1YwS56bmqvpUIy2GhpIlxocS0Fim8XcGgCSnlaBp6UGvFKJLP3i+DCodu
 2iGNOH/JqAuD6psvQqeKmc97aGjYRbSrA05FRZgVB9YPY9GN5+Ft8vCyhs2ygN6a0Yloenh
 L4t0JRj8EO2QvBJGGZwxCY/HJKHaWtGl9KiqjQ+1uF1XNvIOs3E0TeE8ljQw==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1765733466; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=WsV9rZkNAyxn/T4yQ8rraZ4G9RjR1m30A2/GtPNHAj4=;
 b=TeQviFPUaDeV1UjyQ4zZ9sgcoKLGtC1+fXHbLQYzMujJd8JTySXS4Hs2X8ZuUHn3CEzLV
 EENEpNP15ooC8PmBh0qrZRxA8fQAuwUhvWJpWuqCXuSY4N3QXtAs3x/kLjGHRHqfaNAbzr/
 tIF/VcLADuUoiUUfPMY2FhvVstYWyEhLU3/sMrdwpiRTDOEYa6ca/lkfQ3QeH8KE3bR8tCI
 aOgIYeWswmntbIstdloep0EHgftDN/6Rk0klUl9b5EEBW15S+H/WefqjFCq/8njdlQ/ag+3
 qSNUJiCvhZM4xQ3AKMl46JyEAA7vaGYms/1E8IETJhGLnY+GdynT33p7rd/A==
Received: from 55ca25703178 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id DF90069080C
	for <ffmpeg-devel@ffmpeg.org>; Sun, 14 Dec 2025 19:31:06 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 14 Dec 2025 17:31:06 -0000
Message-ID: <176573346703.60.15191071793073764504@2cb04c0e5124>
Message-ID-Hash: TA6IO7BDCS4PRRJWSAIBGPQX7OTA364N
X-Message-ID-Hash: TA6IO7BDCS4PRRJWSAIBGPQX7OTA364N
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] avformat/mpegts: bounds-check JPEG-XS header_size
 before padding (PR #21196)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/TA6IO7BDCS4PRRJWSAIBGPQX7OTA364N/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176573346703.60.15191071793073764504@2cb04c0e5124/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: ruikai via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: ruikai <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176573346703.60.15191071793073764504@2cb04c0e5124/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21196 opened by ruikai
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21196
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21196.patch

Regression since: 536475ea05.

The JPEG-XS PES path trusted header_size from the payload and advanced
pkt->data/pkt->size without validation, so the trailing memset could
write out of bounds when header_size > pkt->size. Reject such packets,
marking them corrupt and returning an error to avoid the OOB write.

Repro (ASan):
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 \
./ffmpeg -v debug -nostdin -i poc-jpegxs.ts -copy_unknown -map 0 \
 -c copy -f null /dev/null

Crash in new_pes_packet memset on crafted TS with stream_id 0xbd,
stream_type 0x32, header_size 0xFFFFFF00, payload starting with jxes.

Found-by: Pwno


>>From 91385c6417b60d2d609bceb6ccab3da28070a263 Mon Sep 17 00:00:00 2001
From: Ruikai Peng <ruikai@pwno.io>
Date: Sun, 14 Dec 2025 12:26:37 -0500
Subject: [PATCH] avformat/mpegts: bounds-check JPEG-XS header_size before
 padding

Regression since: 536475ea05.

The JPEG-XS PES path trusted header_size from the payload and advanced
pkt->data/pkt->size without validation, so the trailing memset could
write out of bounds when header_size > pkt->size. Reject such packets,
marking them corrupt and returning an error to avoid the OOB write.

Repro (ASan):
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0   ./ffmpeg -v debug -nostdin -i poc-jpegxs.ts -copy_unknown -map 0   -c copy -f null /dev/null

Crash in new_pes_packet memset on crafted TS with stream_id 0xbd,
stream_type 0x32, header_size 0xFFFFFF00, payload starting with jxes.

Found-by: Pwno
---
 libavformat/mpegts.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index fb1dcd11be..7c19abaf76 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1035,6 +1035,13 @@ static int new_pes_packet(PESContext *pes, AVPacket *pkt)
         pkt->size >= 8 && memcmp(pkt->data + 4, "jxes", 4) == 0)
     {
         uint32_t header_size = AV_RB32(pkt->data);
+        if (header_size > pkt->size) {
+            av_log(pes->stream, AV_LOG_WARNING,
+                   "Invalid JPEG-XS header size %"PRIu32" > packet size %d\n",
+                   header_size, pkt->size);
+            pes->flags |= AV_PKT_FLAG_CORRUPT;
+            return AVERROR_INVALIDDATA;
+        }
         pkt->data += header_size;
         pkt->size -= header_size;
     }
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org