From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 73C1E4DB4F for ; Wed, 31 Dec 2025 16:48:44 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'/GVjq0Bp6hYcekX6XS5NeVrXSM3ncYw/QsnhNZYtW8E=', expected b'FanIScJArbAAg5boctDBu1qYT/CWaO4oROlPrR8zBCM=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767199713; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=/GVjq0Bp6hYcekX6XS5NeVrXSM3ncYw/QsnhNZYtW8E=; b=UVXsQPc5FZJc59NJR+t1SOdZe+u1ipQItM7HaM78FfxBgJ2CVp5X7+W3K0Ts0lfu+aFAt GiV83kUnihntpyw76NIe7rWL0THFsi/q46FJgCAXr0J0B1gm51grtDqojQDBQyDa242q+vl XCF++UCPHdwPDggTwj05mMjampP9hSboVNDZBzeZvbNbHbLhDcjkWx4prspEF5zq8l5sJyK ckeKz613H3m5T9czX9nQ7c2M3+xG3/Ygn94wR9KqY1IS6BjWqduZ7ZWkkHuchxT6zounBa6 dax1ldK3a0eDHmVlbbaDeZRe5q3OOnTr8o6bcy7NSh69WjiuSaTSmDkWAnEQ== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 7BCA56909CB; Wed, 31 Dec 2025 18:48:33 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767199696; b=cPud7tbyJh8HE5R9BFjyGjyaxD70Xmv3vdf7FrtWQgWQ8QlPuTXiL6O7FGiU1hh6yZxpJ +f+6oujoqZ5TqBk3+EApF1CKkQ6rtXujcLJ7fc8z5bbLBwgj5fU4zKfRzMGRTS7iPB/uiFT xBhXD/Dwg7oAc4waAUOWflLwbCp40kO+j0gh7Kf/SHuwtqb6I9EuG8kNEUeEvmwCL+al4Yt u3kMIL/3jXuCOCyyWMx2+gxO5JBkzdUfJODZiCQHxvQiBJajckM38EkmmHGYChDe4khPd5V nk2LBN0oNBEDvgGIclkNV+dH2TxKHqn4RjzaSwhuIwc5N+6lcVBQlac2UwlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767199696; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=kAjPBd2devjSmS97i+laDuQJSYrm5YhF3AkQZ6OQjc8=; b=NJuW95HEz7oWBSAbjj/MZ/ji0OrWdSqdrCZ/4lO8vuofH6Cr6ZDetzc33XZbyZPkPCecC 7KRrVsR29nt46gFsMU2hSwGn732TY4Gws9Dn4tzjR1rz7rxtLB8Z/53Fhi/ndWPCoVDCLes 7oy07x7eStepWrKon8J5uB96j1UNsOlxNvR2Zld3VFGQL+jJJuYbduqwDmCl3wMOapBy29b eCQtjQtNrjVe2XkeHnqHtEbwJN/UBJ42/Exx7aZtHQZVPzbpZ4k9zgII0Vuk3NA2pVxcVAx uBvvT4h9dNYCL1M9XEicBHPDvKOU83NFqVxtcaU/sCraf2e9bcodRKQ9/lvA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767199689; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=FanIScJArbAAg5boctDBu1qYT/CWaO4oROlPrR8zBCM=; b=F+Lpa7FiIaUi0nl3QiEIvqkT4RPFpZm1cKIB557IlkkRaxHNMrLvWmxwR3ROAgghRWXc9 VqdURFj2igqpWOj6De+5jYVE7ZPCXoqjv7lY146vxxgyCaXPj6ZPbWJROHrJ9rCOUo5tQP3 BnPfuRmN1NNaG1RLBlLV0iNGyJ1hV0LY2aQSl0179wX6Q9Erx7Dax41zUdMuz1iQCYc9YJZ 0z987GJGtwIS68YHIuaXTxBT4yWHlxBDNP8aKVqezQWRM7QhQFFZ/b8cw0ABx8WEl7DCJ+t dYQesAd0bFbcvUU0XZUfXc1zNk+OzHnKrNqNxTfLBSLJ1Hgvf3mfyPmPZtKQ== Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 6166E690996 for ; Wed, 31 Dec 2025 18:48:09 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 31 Dec 2025 16:48:09 -0000 Message-ID: <176719968956.25.18052429438693325927@4457048688e7> Message-ID-Hash: BRKHTH6IUQPUWTYW3IR7BU7JL4QYG27R X-Message-ID-Hash: BRKHTH6IUQPUWTYW3IR7BU7JL4QYG27R X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] [8.0] avformat/img2dec: reject input images too big to fit into a single packet (PR #21336) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Timo Rothenpieler via ffmpeg-devel Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21336 opened by Timo Rothenpieler (BtbN) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21336 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21336.patch (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) >>From c1b7e233fd5d34a94fade5f1664bf1c7a3f948b7 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 31 Dec 2025 03:41:21 +0100 Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a single packet Not entirely sure if it should instead use some entirely different approach here, given that images exceeding 2GB don't seem that crazy to me, but so far processing such images results in a heap overflow, since the size addition overflows and a much too small packet is allocated and its size never checked again when writing into it. Fixes #YWH-PGM40646-32 (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) --- libavformat/img2dec.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index f0ed84f8f6..a0749da2bb 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -416,8 +416,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) char filename_bytes[1024]; char *filename = filename_bytes; int i, res; - int size[3] = { 0 }, ret[3] = { 0 }; - AVIOContext *f[3] = { NULL }; + int ret[3] = { 0 }; + int64_t size[3] = { 0 }; + int64_t total_size; + AVIOContext *f[3] = { NULL }; AVCodecParameters *par = s1->streams[0]->codecpar; if (!s->is_pipe) { @@ -497,7 +499,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } } - res = av_new_packet(pkt, size[0] + size[1] + size[2]); + total_size = size[0]; + if (total_size > INT64_MAX - size[1]) + return AVERROR_INVALIDDATA; + total_size += size[1]; + if (total_size > INT64_MAX - size[2]) + return AVERROR_INVALIDDATA; + total_size += size[2]; + if (total_size > INT_MAX) + return AVERROR_INVALIDDATA; + + res = av_new_packet(pkt, total_size); if (res < 0) { goto fail; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org