From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id D71F34DB4F for ; Wed, 31 Dec 2025 16:58:25 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'CmdMbd2inSQLiZPbUkDCXbVXuelbXjiGp1DrWum4ASk=', expected b'ZCTwcZB5aGnZPLc8l87BH0G9wGbr4Iz25i6ETWXHhOI=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200301; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=CmdMbd2inSQLiZPbUkDCXbVXuelbXjiGp1DrWum4ASk=; b=miAV7fuzojo4mW8Qd4ycQDLX5dCv5Ds2m3VVJGfujTbQM68plkRZ5+N7MeHwtl3bYuaNL d09c8ZE0QqlV//XI9AzHg/MR1jUIqUTpNZ/D1pEM5e7Lv3StNEfzY8lksP7kwam7l7fEnWh jDcQI3PN2/sGxJNfeyxqkaEXtr83W1jvOgGvR5smjqQqZwzpNDU/5/TG0XWlHJALUytC/Rv xtyEOoRCdKjPhHQUj8Pp9UrqHyz3AQwP6b7v7mtEw1/GKrhSPmDWQHw6p9xoQ52XUVwYyoJ 6+mn4bN43y3RKZ0CHDTZzywJehdbU1cdk09jHy/hxyq+b6ROubP/IW70VfxQ== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 4D09E690C0D; Wed, 31 Dec 2025 18:58:21 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767200293; b=UPH0nSvmFCoDl1Y1Vho5Yxw9IhQNlMgyDxPKh+8SWw8ytqYTzmRMtADOlL4EzEL5q6aw+ wxCV14z0ckcWQQ/6VqnB2htmXOGfRgY6O3QPfZnqOiZ5gnMdgjTa7gplUx8QA7bOMLLRfnp 8YZdilo9DLxlAaGvrOACIIFMgCvdduM94CUqdw1FV57r2tkgvg0WzGVrrCWFXKGBsSwtT1m CjxVzWxkEVj6pWLRrW9sytR5nCo5AzC/Rqdb9ykEFQtQOSrzRlHq27cmvUoSFpZff71Mpw9 5MYO8n37FGy/bl4eTOKuTcRn91HIsWZFHPAEJZ52Er8h+CfEQviECMBu/sCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767200293; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=lnr3O6TdpCzTthQtVPLQljyYdnbs6z4gFo/7uNbdflk=; b=d04pT4yRHNcbftoKkO6PBEL9L7fz2Y2ZdDMiFfx7Tc+V3qjiBK9EXtsOFT6DQ+GHoH/KG in08+NaDEuT69ttvLUABn+3nE6qvHkgreJvamZCfNdRUiGfIK4P+pLGwTarG5JCCYkdbKkG CtxvgCMaYIcpxzs87xAoUzF52Sab329lnQJ1F/POgFx5DoFOg40Ml8CRmAnKG8bglOU6+W1 JHi4gW152jjSUTqqsse6T1WIYhFgwwDfVJNU4fNwl/MaK8oddRjmdleNuEVGwFfjZI2qt6U A0iHfQxohCUUkrz18mIQUMN2sPhh75Vt0Nv7319fnAWH0DPUBQgcu2xQpkzw== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200286; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=ZCTwcZB5aGnZPLc8l87BH0G9wGbr4Iz25i6ETWXHhOI=; b=4EIAO7JY4Tp3egXoFp8yTTFZVaAUW7nrB3W7fphhYKlyUjn38gbnlCmcD+ypq+kK2RHv3 NcIa9eIUpkvKLGR7vKNS47q+nwzN46OQ71TMayG+r7KeVhnw70pGaSXXkwBB6/KofDgNhG6 1J//tEROHjBgJQL1uXpfxGatcc/CgVQ4PBazdpefxZPWDOdUf2mSbHasYwgRtw2ct/OQtqV ET+FKlgWHwUU/dTDP61uvyv+4XlQb8cQp01yoP3ZQBbaavv4oBxtTI1hm0I7zCxrDLIwAkM 4+GCQ8t8DEGAGH2oAM6wc7/o6+b+Td/em/9B3vFWU/95UsbeGxfK9n3IKZWQ== Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 8C6DB690878 for ; Wed, 31 Dec 2025 18:58:06 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 31 Dec 2025 16:58:06 -0000 Message-ID: <176720028675.25.13864718645945183832@4457048688e7> Message-ID-Hash: 53U4R4WV4ZUWNFVIY4IGEG4ABSEMQA3N X-Message-ID-Hash: 53U4R4WV4ZUWNFVIY4IGEG4ABSEMQA3N X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] [6.1] avformat/img2dec: reject input images too big to fit into a single packet (PR #21339) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Timo Rothenpieler via ffmpeg-devel Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21339 opened by Timo Rothenpieler (BtbN) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21339 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21339.patch (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) >>From 80e99378c3f5d0e0c70a2ecf94faaae07a754a17 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 31 Dec 2025 03:41:21 +0100 Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a single packet Not entirely sure if it should instead use some entirely different approach here, given that images exceeding 2GB don't seem that crazy to me, but so far processing such images results in a heap overflow, since the size addition overflows and a much too small packet is allocated and its size never checked again when writing into it. Fixes #YWH-PGM40646-32 (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) --- libavformat/img2dec.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index e2b4b01587..35558662fa 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -414,8 +414,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) char filename_bytes[1024]; char *filename = filename_bytes; int i, res; - int size[3] = { 0 }, ret[3] = { 0 }; - AVIOContext *f[3] = { NULL }; + int ret[3] = { 0 }; + int64_t size[3] = { 0 }; + int64_t total_size; + AVIOContext *f[3] = { NULL }; AVCodecParameters *par = s1->streams[0]->codecpar; if (!s->is_pipe) { @@ -495,7 +497,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } } - res = av_new_packet(pkt, size[0] + size[1] + size[2]); + total_size = size[0]; + if (total_size > INT64_MAX - size[1]) + return AVERROR_INVALIDDATA; + total_size += size[1]; + if (total_size > INT64_MAX - size[2]) + return AVERROR_INVALIDDATA; + total_size += size[2]; + if (total_size > INT_MAX) + return AVERROR_INVALIDDATA; + + res = av_new_packet(pkt, total_size); if (res < 0) { goto fail; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org