From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id A215C4DB7D
	for <ffmpegdev@gitmailbox.com>; Wed, 31 Dec 2025 16:59:35 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'ouJ3yqDw2D6JJ/ezGunN6u2VPjExp7nnpAfcM6oXkXk=', expected 
   b'zJpN9ddB7mPQzkgkEfY6r0Ezlfzt0dICdSp34MHx6dU=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200372; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=ouJ3yqDw2D6JJ/ezGunN6u2VPjExp7nnpAfcM6oXkXk=;
 b=bAjbM2I14DK4CT2GiE5TNNxWaFCajPuzbbY0s90qzb7GPs0hWzOBNhxcfduJTK5W1MQPY
 W73WDfbx9hKAqlHohRITAZ23VpQhkYEL51UoLapCTGPPC2yLzyXSvu32RVBZJ7Ja4P82V+N
 3SLOg967KJupSnEHdk8PH5yniN64/C4/dR4Beu8958lZJuSTTM+Fb6JYLHfJFUwCtxmk1uE
 uLN6FOjywBHDxp12H4r6NKJgPyUed7jlmPB/KPcWl1aipiCfvOnxl1Zm03UdhX7SIQifYIz
 +BapudxeOvo25TbgAz6G4SZTl6C/f09lWUGVCqXij2KnlzoSQoeTCUgwrPoA==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 7C5EB690C3A;
	Wed, 31 Dec 2025 18:59:32 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767200364;
 b=UqJeP9uf2XPvY1Dz+03nMiO2/Nwg8WnGoqDwd16yBSi4qVTaEIVFESCD/60Ty2+OzKU7f
 VOj34TybQyiqphxONJ0H81MZY3Q5q6nGrzAOGd9ESfz/uYECi8Ts0Au6E6Hgk7Y4Y3Ttp2i
 1ZwTbkf5TvjsQMnbEsdwRox4wRsxicQT48tIZ/lMQj7Phw8RnVg+8MitDPwRZAxGM1WaU7/
 92GepM92eqI9Yo+GNg2XPuzNN2zho0HaZ6g1/KMZ0sPRHIvYuHLQktQwMBBtjV816ShuG+K
 Vt7+Jsl1X3gdUp3vZ/hloJMj/OIKx+kkddhUCpvP+ONJdVM+t/DNh1gSXg/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1767200364; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=rjT3JsxpKpLtIRnZIZ3dxwNd/StlBQvDMg9PHLlrmAc=;
 b=dpzzrzzpQjZaMa+0rvAClDd3lIg+VogBCWqJDtL+tS08sEnH1riE1HFRzGuxpGWe3zb8P
 ZkgSWjYII99se89f4iUI9KWh3cvBzii1lbyram4FaJn2Hsnxjyaz62iq1oo8lsyAfdmRVDe
 9WxgOVXosYazBpNYkcX9Z+66tda331KgB7YOaBbFqYOTcZLRwHmor3zrqqzA0RfvhgUBhba
 ocT9VUVmxZ+4jZlFeHjdLD/xVDPVMIlOdKyaZTgb2cHKr4NDyDIg2/s3d6MbGHWhLB0eQZD
 0DKYHtpXGJlGS8+G9Os/oKQ6WR7Y8bFN4Std+v9beqBU910gRBOt/lQlaedQ==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200356; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=zJpN9ddB7mPQzkgkEfY6r0Ezlfzt0dICdSp34MHx6dU=;
 b=t2r2XsJPIMFO7jiOGyOu5KhjLUiXVRTYkR+Bccfiu+72I1WO/jUt6/pWk7OzL575Iec0g
 ewCPYHv+OgegbHIAC1OFtGVj5/MLy+5R4hAuBiEXPFQic5c1/ljM+768g5bzL1OwQivu+fu
 Wms0jC0Y7lEXvomtKdEan3wnMWjRxMLNJ8TPkqKnl9bWwQ6a3DIyRQPJWbeG88yB+cLJ1W9
 s15lkfDh0RtpjgCpiaxCCVnSNhS6r2uIZrgE054iUasiIJTCjSLBV78jUpk6eEsTgfhC42a
 WMu5j4Uh5Bu9zLl0aPjCVZG9mcBanM2+7sC/7fR1B0mjfWaLNkRER1/zvFxA==
Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id C737F6909CB
	for <ffmpeg-devel@ffmpeg.org>; Wed, 31 Dec 2025 18:59:16 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 31 Dec 2025 16:59:16 -0000
Message-ID: <176720035692.25.16909653844516735651@4457048688e7>
Message-ID-Hash: Z53HC5LZWBHKIAR6H5446HDM7CQDBKUO
X-Message-ID-Hash: Z53HC5LZWBHKIAR6H5446HDM7CQDBKUO
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] [6.0] avformat/img2dec: reject input images too big to fit
 into a single packet (PR #21340)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/Z53HC5LZWBHKIAR6H5446HDM7CQDBKUO/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176720035692.25.16909653844516735651@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: Timo Rothenpieler via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: Timo Rothenpieler <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176720035692.25.16909653844516735651@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21340 opened by Timo Rothenpieler (BtbN)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21340
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21340.patch

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)


>>From 8588c7e914f9d1a77e90c6f5d49c040154960deb Mon Sep 17 00:00:00 2001
From: Timo Rothenpieler <timo@rothenpieler.org>
Date: Wed, 31 Dec 2025 03:41:21 +0100
Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a
 single packet

Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.

Fixes #YWH-PGM40646-32

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)
---
 libavformat/img2dec.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c
index 5a63d7c81d..5e0ad0ee85 100644
--- a/libavformat/img2dec.c
+++ b/libavformat/img2dec.c
@@ -412,8 +412,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
     char filename_bytes[1024];
     char *filename = filename_bytes;
     int i, res;
-    int size[3]           = { 0 }, ret[3] = { 0 };
-    AVIOContext *f[3]     = { NULL };
+    int ret[3] = { 0 };
+    int64_t size[3] = { 0 };
+    int64_t total_size;
+    AVIOContext *f[3] = { NULL };
     AVCodecParameters *par = s1->streams[0]->codecpar;
 
     if (!s->is_pipe) {
@@ -493,7 +495,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
         }
     }
 
-    res = av_new_packet(pkt, size[0] + size[1] + size[2]);
+    total_size = size[0];
+    if (total_size > INT64_MAX - size[1])
+        return AVERROR_INVALIDDATA;
+    total_size += size[1];
+    if (total_size > INT64_MAX - size[2])
+        return AVERROR_INVALIDDATA;
+    total_size += size[2];
+    if (total_size > INT_MAX)
+        return AVERROR_INVALIDDATA;
+
+    res = av_new_packet(pkt, total_size);
     if (res < 0) {
         goto fail;
     }
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org