From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id C7A174DA3A for ; Wed, 17 Dec 2025 00:26:17 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'Gj4PqwLL+BmCnDxI8k/fHjW/zkY8jBSpFbxrDeHOHPA=', expected b'h5MT5nh9+gLEjOKlHVsGSgBGPwWBfislc95NG7lL0qI=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1765917023; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=Gj4PqwLL+BmCnDxI8k/fHjW/zkY8jBSpFbxrDeHOHPA=; b=ZBRDhbHnGG7SAdU5UfL2wzvNoNrFxRx6eoK0p/lWwKC0vb6pXengV7Nub/sRM/Ee56QH5 jJWdktjaxpzl1C78feibIrD6hJtl4G4W7BrCbH49H9elMnZqMWPcEWT1JFSHkvd7nMdKEgp FiJHN+Uh0wybv5Nh7PqDtqnh7tqsJ2uttewMiT4C5HQcG3yAr1YYgXYFEkfddj09AIuaPiA TsKRVUq/rkIG6hjAjzdTxVj5sxrAbAaeSAB8rjPa7v+kcZ/1xuZpQr5dORfNYn3X+apXK2j LykxBCpHKjFaIgDqfPSHbSvDlbQB3eJ8jogLCYbKYazhp6xbgVOUbp4mtIKA== Received: from [172.20.0.2] (unknown [172.19.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 9EC0F690925; Tue, 16 Dec 2025 22:30:23 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1765917016; b=X5HVR0ccTl1d11nCD97us9eUM3aV/B+qfj5m9sH4JxqWmZMkXqgE2nTfKRtzyDu1KqP6a 9mzfSEN9+KlvQJqZvJHYsjhX17wVUd27tE4yzcNm6PGiWIyhuir8lchHSyAU0qmliQzoxoX oK+dHL2TF6DETGFCsPYKNDk4wTJvmraM26YljT+QWC5bo3rWvNhArCf7YcTd4Yfw+6J9Db1 9t9eErAth2NSddLTzDWg0bk7kxWdPKPr4wRyZR4dVWb4rfrF51ohAOk/ph7GBgwTpTIZ/qF JHCh1oUj6pWyX0a4rChBvvIMqgyZEuZFEySAuEo587r90x1OE8euzJXgM1SQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1765917016; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=U0v132rHUDBLJynY/Xe9lgDf6rJqx+ldqMRnJjNUGs4=; b=s5qwn310GZhKjBPBCQUdxAXgxXTYIPyWmznNx/HqdNoZL0nwXYD9QzotX5TFBFmBQqRUs 67uzmr/2wUb2Ju3tcnuV/Ef+XCeA4gNI2Nx1LlM4z7o/1/h4UH6PbA2n1lkDPR+tmSHpYOx lqRqaZg1ruR1UCtnE6FAqD3doms8CohCrdAEe1iT9h3TafWBEq92iYXI6exPbTK34XrTVsa +4hlgC27ycUY5Bn1DDzaN2oWc1nwhjD9WI5EVJkaIi9VpdngR27v9xxQ9mGobyd6j9hZe3T MP+wMZTzpKhybhgoGu70538xFr0R27ZW/+Gsd2sH8dgKVl1SVQ58mrZqayug== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1765917010; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=h5MT5nh9+gLEjOKlHVsGSgBGPwWBfislc95NG7lL0qI=; b=3WxbdHtIvRQ/bthSiZwo6HdrVAiNK79fYTdmxcCd3HfcLPw32wRssNQH+T4PSV1g7k6dS zc3s9FsbQvrtTOydQGrsDHYNTy7fzsU+sApK81aQyXQ/f6oqp0LDf8z1QVgwXUtYFpzt/Lc tnLqsGaucJgl34y0WQq5YzFeKQYaV04/quU3L8i5cBt+tLKkf44IfCVB/1YtYh6XQbRxGIt /YNCtJnUtYS8eDtiQ/QROEwqXa8hOeAwAXC5nJD5dYORicalKA9EkVRrv9iHc3su0mByngt ZCAuOEnSslZdQ1cKnxl6ahzNJHdoUyWql0Vq4cOyvV4WcPv5d7vqmaFOeIGQ== Received: from 55ca25703178 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 286086908CA for ; Tue, 16 Dec 2025 22:30:10 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Tue, 16 Dec 2025 20:30:09 -0000 Message-ID: <176591701029.60.9385494512642793843@2cb04c0e5124> Message-ID-Hash: FNMXW63ARFZ7JFQOVTLAE3HBUAAQ3CRU X-Message-ID-Hash: FNMXW63ARFZ7JFQOVTLAE3HBUAAQ3CRU X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avformat/flac_picture: Correct check (PR #21223) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: mkver via ffmpeg-devel Cc: mkver Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21223 opened by mkver URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21223 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21223.patch Since af97c9865fe7a48b223e162eabce21cc180f305c, the return value of avio_read() has been compared against an uint32_t, so that the int is promoted to uint32_t for the comparison (on common systems with 32bit ints). The upshot was that errors returned from avio_read() were ignored, so that the buffer could be uninitialized on success. Fix this by using ffio_read_size() instead. Fixes: MemorySanitizer: use-of-uninitialized-value Fixes: 443923343/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-5458132865449984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>From d0721550fd0695fe8919136dea118b5c302a9d1f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 16 Dec 2025 20:53:43 +0100 Subject: [PATCH] avformat/flac_picture: Correct check Since af97c9865fe7a48b223e162eabce21cc180f305c, the return value of avio_read() has been compared against an uint32_t, so that the int is promoted to uint32_t for the comparison (on common systems with 32bit ints). The upshot was that errors returned from avio_read() were ignored, so that the buffer could be uninitialized on success. Fix this by using ffio_read_size() instead. Fixes: MemorySanitizer: use-of-uninitialized-value Fixes: 443923343/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-5458132865449984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Andreas Rheinhardt --- libavformat/flac_picture.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/flac_picture.c b/libavformat/flac_picture.c index c9f3f11edd..46f0513214 100644 --- a/libavformat/flac_picture.c +++ b/libavformat/flac_picture.c @@ -23,6 +23,7 @@ #include "libavcodec/bytestream.h" #include "libavcodec/png.h" #include "avformat.h" +#include "avio_internal.h" #include "demux.h" #include "flac_picture.h" #include "id3v2.h" @@ -158,8 +159,9 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t **bufp, int buf_size, // If truncation was detected copy all data from block and // read missing bytes not included in the block size. bytestream2_get_bufferu(&g, data->data, left); - if (avio_read(s->pb, data->data + len - trunclen, trunclen) < trunclen) - RETURN_ERROR(AVERROR_INVALIDDATA); + ret = ffio_read_size(s->pb, data->data + len - trunclen, trunclen); + if (ret < 0) + goto fail; } } memset(data->data + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org