From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 43DA04CE94 for ; Wed, 31 Dec 2025 16:52:23 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'rZdSjLlUkewNrHDb9QiQXs9TnoRzk8ct6h6h3PWyMbU=', expected b'R6OFh5cfBPRwUrBOKxk445L9eWbxjEQR4U1rZOfZHFs=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767199932; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=rZdSjLlUkewNrHDb9QiQXs9TnoRzk8ct6h6h3PWyMbU=; b=h7Gmxz4ciuRmz8hdYLErJk0jE9x/QL0X18UfsfYO0ZlDlz07/u9CYyjbN1bkB0cioUGE5 M8da0pHDY3CVqiEunv4FPujcbzZyXeui8wKfpk9EfxW/LhKyPsZT0aW/A3XnEjK4rlfkJwl 3qm8p60i+SM8L8AuLYfKvmThcZextYuowsB2uxcCXXsS815RlqrnmksbtpX9IYsyMe50iGo GmqeZioJyI+HpZU2/PXVIH80F6Us2ykhBI7ayWjz8zgQ6n6c1kH8LlALEQgQixDOqiPmHxn jWMXG4K8zAR2AML/qRwiqBYe5wD9QHQ7EoJ2w+uBYSh8OgP2NcO0zFNZpZuA== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 05705690C58; Wed, 31 Dec 2025 18:52:12 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767199917; b=nVJ4FhxwRAQXmtR6uTdR5xRUJ1yETUX8XxJoFICbxl0AAPS631qCYy542hnAGwS3IcVzq kwlxVf+9kgGx0hK8p2fXLtXq4ts7KCWVdYZyZUe4ee2K9P8W7FBZgYRZlYr8HpXGjoDoixX HrErfKexT+kfRvZKgzUJ8gRKjvgvsFwO6ropTnsX5z5Q/jEdWr2xNfUooMB1BajjpeVntU0 k9x0Mwg6c0CJ0Q2HVU9RtP2RP0TthCIwpl4kZnvPvMaUw73Lf4kd/6kooXpc8pl3+0+bsdS VoEp97eB5CA67kDrskzhPYCPbbmNPRYZqIFegqgNK7W1XFXGR132B1BHgOOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767199917; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=VwWg/jKXf53KdkjflQIXRByVRs0+74l7kxoztcXrHB8=; b=lyeW3SQCAeKMlGOVWHxiVrJt8cn2HrWxs+VnY7eL/aTTrD9ZSm/P9xqGngd1vDn6fX2TP bY/BAfU/MnPogvKEZToVb0WKv0wdT6maIOHdiyYxEEfw7yAfQWfUP9frD7+cebO+3AoDfxW CZ8T8cdkPJr3b1o60c9z2Jc/V2VP3X9biNumP8mmx9EMS9VXqNA5wUV9b7rcP5ZCEOkqDmJ oLMeRddi+qpabW6xP1Rv2hEhQU/NhDsH2GIirY9s6+ER2ldA5A1i1AJvtzC1QVtkdz448HV SenqGKTprb4QAdM+TOcbkN0Hq23O3KBFFsVZmU9JGfv7syANLG11R1dsJL5Q== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767199910; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=R6OFh5cfBPRwUrBOKxk445L9eWbxjEQR4U1rZOfZHFs=; b=UvMlQFkjgbvW1YOqS+WRazVBZmgprsFkckrQcbOdiyGiMtHskqhx3iK/9LLwxAc/9MWNE GTPlbIuAWeuARHhipe0atNtMKbxxWwLRXZXVpNNSNfO/4Vekq13OCWeRPUxeDoaZU0vsjsb 11AUkpmnPcaGsbZi2qQjET7vyw+uFTrdhNUTG8kaBBG+tVfkFHq6+L26Qcx0NxulcGJH/XH 8o3z0CdFIfzNWC83adG5Hat1UcPDdxwTUdMz6RKP200EQAYSyqwjiOmJvkqG+YACzU5midh 2r/3EMvly+INcqGCOY3THiOcTT6wdektJuQrORIxdrkkBFaCKxdsrJDouR/g== Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 84E1068F491 for ; Wed, 31 Dec 2025 18:51:50 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 31 Dec 2025 16:51:50 -0000 Message-ID: <176719991068.25.4775554944253551302@4457048688e7> Message-ID-Hash: SRXXZFQDU7UT4OIYXLXMESP4ZK4T3VBZ X-Message-ID-Hash: SRXXZFQDU7UT4OIYXLXMESP4ZK4T3VBZ X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avformat/img2dec: reject input images too big to fit into a single packet (PR #21337) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Timo Rothenpieler via ffmpeg-devel Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21337 opened by Timo Rothenpieler (BtbN) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21337 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21337.patch (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) >>From 7ce72077704d5351d2c4a8d06016548e0f8a730c Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 31 Dec 2025 03:41:21 +0100 Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a single packet Not entirely sure if it should instead use some entirely different approach here, given that images exceeding 2GB don't seem that crazy to me, but so far processing such images results in a heap overflow, since the size addition overflows and a much too small packet is allocated and its size never checked again when writing into it. Fixes #YWH-PGM40646-32 (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) --- libavformat/img2dec.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 3389fa818e..2bcbfafdfc 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -416,8 +416,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) char filename_bytes[1024]; char *filename = filename_bytes; int i, res; - int size[3] = { 0 }, ret[3] = { 0 }; - AVIOContext *f[3] = { NULL }; + int ret[3] = { 0 }; + int64_t size[3] = { 0 }; + int64_t total_size; + AVIOContext *f[3] = { NULL }; AVCodecParameters *par = s1->streams[0]->codecpar; if (!s->is_pipe) { @@ -497,7 +499,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } } - res = av_new_packet(pkt, size[0] + size[1] + size[2]); + total_size = size[0]; + if (total_size > INT64_MAX - size[1]) + return AVERROR_INVALIDDATA; + total_size += size[1]; + if (total_size > INT64_MAX - size[2]) + return AVERROR_INVALIDDATA; + total_size += size[2]; + if (total_size > INT_MAX) + return AVERROR_INVALIDDATA; + + res = av_new_packet(pkt, total_size); if (res < 0) { goto fail; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org