From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 157934DB71
	for <ffmpegdev@gitmailbox.com>; Wed, 31 Dec 2025 16:54:04 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'mgYiBDyIuXXYfn9PZsmxC6A5NXY1MhnkttWbAdPLB/o=', expected 
   b'JyhaSUHPWE74moEmKENzEMPzUvf3JNS/5GixHisv9hc=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200034; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=mgYiBDyIuXXYfn9PZsmxC6A5NXY1MhnkttWbAdPLB/o=;
 b=lkVFi/dzONpgMvXIw0/1h/Yd6iKkBauxTLv+X/fKwi7F4u7LxIg+xAwMB8a7JcSJbet2p
 ttAQTDtdHBi9Y0xQxTXZusI/ACbhAHfvMFWWQcqSR9pv6fET5kc+qyim890esxAIwqEuMM0
 vz1XpA0dkMvJerkSGq+tM0MV+UZrWL6IOrpKB0LLbFHREWLTTFKLQULiJst3fpnQmRtgaId
 G4MzN27GpirjKFmgxW1V3d61PHn/hCYSDgxBbkFwDumiphdcLmIJhOhN4SeHItskY319fNu
 9rhv5AqCJ0WxWvj1L6KIHtRF+UtEIXs3bVBqOSvz8jasjrH8jEKRHRrhLimg==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id DF1B3690C7A;
	Wed, 31 Dec 2025 18:53:54 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767200015;
 b=nfo00urWw3tpJs5XpIHcLWen5ezc30cs05x2LQVK5MplM0GFi78YgKd3EVq777CH6B1EL
 iTx/PMKCBiX6MdUIoexFvbpdGn86k1BYtMnXdlkQxXyXXAgsLN29ceiw1uRWXrhBccOR02J
 WR8Wjz2hVRVVUvo5j1NVv1E5j6hMuURC0dl66mM/loMkKapdOAlKfrXgV9JQF2QEavwBieJ
 /C0lmRHwtUaTLEA5vytCHEQWPtRdAyYioQ75YYouNWZ4oqjq6AumYQn02gAOtym17B/2H40
 EAl8nZbPJrhBoeETP91KXhPthxL+i5peFNDrQYfuKL4fpevRBS2J7gc7CHrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1767200015; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=4ukFHq2dSp1pPbBgNKxRuooqpxLoCKCf80RV5NR34OQ=;
 b=VdfJ0hIQVBbPtjgrMXVEhd+VK6DJuWQZp9uxAdXBv33SF3RMhPec+EioBd8sWYJruEVly
 CG8p9ANSH/AvWVWqbntB1X9aumd5HQqFgHlV/my/FEGbejDv6kM8cyMhZjqsi6e6kEhES9B
 C/jKr8eHfxv/CdIw4Ph6PmrAkZ/3F16yGoFqlytT4OVb8RSV5I8i3z5nJsxF6+McWDhgLIj
 dWkqtPLfvN3Oisyx40sg4XrfEm/8TkdCk84lrb3/UyJy6oCQFVGmFjmaOO/kJvM/jnxca4K
 CArusY2u4m82DrodUYfGNSKb53/KVCaL/9qJTIg8kGZ43afJ3asrvtFFUjFg==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200008; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=JyhaSUHPWE74moEmKENzEMPzUvf3JNS/5GixHisv9hc=;
 b=Uksv/Sb3PoSWDgUXqabY3s2fuaSrL6FlCItEjtM47Aw0htI0sMLUuSyo8MwHk13qbA/B7
 /6TjOOjxRqiNbaCnd9XxScoP8p05ilVSvX51rM8pxKUYFw6lD2P1hKuJPCBg+vSBq/QKnVN
 NES1do1pK35Lsq09EppVzlUlrzRMSq19QAY0GMyaUbFiFDL3P8q15IrfZWRDOHSc9rCC3A+
 svxEalixsMOtshHHlTRVEh4Of6ngfF7eCe+QHlKaWxJIwIGwNz8AilEqcmJb65pudT/D4TK
 f4wKu3SbbZUbCpxiDbfW4kdPZ+0ITp3Jf0kjqtKu99h5oYyaYYEhvSBAbUmg==
Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id DE5E568F491
	for <ffmpeg-devel@ffmpeg.org>; Wed, 31 Dec 2025 18:53:28 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 31 Dec 2025 16:53:28 -0000
Message-ID: <176720000904.25.2834392607404927429@4457048688e7>
Message-ID-Hash: RT6426O52INYIGSEB2RCN4GM5ZWYIEDJ
X-Message-ID-Hash: RT6426O52INYIGSEB2RCN4GM5ZWYIEDJ
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] [7.0] avformat/img2dec: reject input images too big to fit
 into a single packet (PR #21338)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/RT6426O52INYIGSEB2RCN4GM5ZWYIEDJ/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176720000904.25.2834392607404927429@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: Timo Rothenpieler via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: Timo Rothenpieler <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176720000904.25.2834392607404927429@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21338 opened by Timo Rothenpieler (BtbN)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21338
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21338.patch

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)


>>From 1a7ab8affab8f4b921b7a4b8fc40e9cbc25acd74 Mon Sep 17 00:00:00 2001
From: Timo Rothenpieler <timo@rothenpieler.org>
Date: Wed, 31 Dec 2025 03:41:21 +0100
Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a
 single packet

Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.

Fixes #YWH-PGM40646-32

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)
---
 libavformat/img2dec.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c
index ddefbe85e2..d65c1c76c9 100644
--- a/libavformat/img2dec.c
+++ b/libavformat/img2dec.c
@@ -416,8 +416,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
     char filename_bytes[1024];
     char *filename = filename_bytes;
     int i, res;
-    int size[3]           = { 0 }, ret[3] = { 0 };
-    AVIOContext *f[3]     = { NULL };
+    int ret[3] = { 0 };
+    int64_t size[3] = { 0 };
+    int64_t total_size;
+    AVIOContext *f[3] = { NULL };
     AVCodecParameters *par = s1->streams[0]->codecpar;
 
     if (!s->is_pipe) {
@@ -497,7 +499,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
         }
     }
 
-    res = av_new_packet(pkt, size[0] + size[1] + size[2]);
+    total_size = size[0];
+    if (total_size > INT64_MAX - size[1])
+        return AVERROR_INVALIDDATA;
+    total_size += size[1];
+    if (total_size > INT64_MAX - size[2])
+        return AVERROR_INVALIDDATA;
+    total_size += size[2];
+    if (total_size > INT_MAX)
+        return AVERROR_INVALIDDATA;
+
+    res = av_new_packet(pkt, total_size);
     if (res < 0) {
         goto fail;
     }
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org