From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id C94C44CE94 for ; Wed, 31 Dec 2025 17:01:22 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'btIKllLAC/5Ike7eZAFN+PrxfAMq4gVNbwhi53a+Vy8=', expected b'QsEpc7EpZMZuhXt9oFDMpxH0vLuTTyoY64XSAXIaU3U=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200478; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=btIKllLAC/5Ike7eZAFN+PrxfAMq4gVNbwhi53a+Vy8=; b=tO52z7LzPbvYWgE+AsYr0m6C3TtKYGrx1ipbVyBWgSv7/R/PdZ2ezCzv2tE+z43QYpJXt e/lyxdhW+WQF4ZZIhJGMAwFs3DSATAtG+TGxEXym0eaYm8VDShrNaYpmVLLjILTL+7dOwg/ K+2cTrXZSdTf8mxnG8euL0RDYzvlZnPIFCOjOrqfs7xcpZhSujr+5sdBdErYUxsEzpp775W N5CUY9KfXW3S0LLFyYaUjo+GwJu0bWW6w2rp9LabnnJan2DVa8oMWhdtpmTgkvwLdQt6r4F ldqF0AdbyE8no9Pp8pRKpHMKx9oOgYDE/C/wrqKZNXMYisCm2hIh0kGRoA0A== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 18685690C16; Wed, 31 Dec 2025 19:01:18 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767200470; b=YQ6qkgPoNbjADg6ZNvvyD8yxQ8umQj/sNjjhsG9uNPoBRL6YX6qL3wjxrAhpJjthCaWIe mLLkzFRVItly3CD9IlL7rRisK9HlProdgAtZb5b+u3J+XPdLCO7JQWVThbuOS6fS1/NPNXv uM8r1p0KrhakonSRXQ5Z6CvlJnj9RXSZtu0L8RnfM+T9AdK7qqPz7ZjAb1TUDPS4xPTBUc1 YzmO8O7iLVUc+GYhxUXhnCzcaj2ccfydqxohdXeSprttGrYBpq6TLu8pzR94iVqb43bd/Wv kDfNMf9WEXnpx1iCpcVcwfAHIK2qsTux3o/rVvKBay57+LwNQzPBIrOHzBmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767200470; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=rwqYq519pvb41Btton7XjFme9Fc8yRD/rgsX82IyyS4=; b=iBzO3mIy8f8Jr9aBmEokQTqBiv1sNvb+NJi/qVuxQwNrkWw63xHyEKrqENald1oK2H+ii ro3t/4++QYajIV+VIlUEwQLbrTeZSzXL2J2p9Ea+Fjf0JzSvpbc0sXJL8qciZDdSJGrQB1n F0rhEOlPAJYzl6Cr/6YjbrNdU5J4ApuQR3gY3XB/Wldf0keE+ALBcA137beNSvrgEBzkjhg hCkEa6Wa9ZvXToayDpYbry/TiJoqLdoEYIZy4dSFFrUHL+U89WiXVdLKA7yEDRYKWV95ZHf mK88naeGV2hnuH4cCfejHkrA+hU8fH+3tqlrqTtJrFy+YZm7+ph913CIQcXQ== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200463; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=QsEpc7EpZMZuhXt9oFDMpxH0vLuTTyoY64XSAXIaU3U=; b=EJLp+tlN6RB5bPBGcTbAzXIZ7+NVUupZuXLDmoYzKrwTHBX94yNp5JApaR33WsvOMh3y6 c2R3bcRwDszeM2PBuC79dSWDa1Jnqcj89RGHH4HC/M4Ibg38ioO7A26OvyridH/9v2EZEpH nv2AlRd4DpOj8ix0LVgP0A3MMZzidBR9maprtl4RP1ij5fqgQ2XIj0yCrE+tf5vPfzB7IdR phzjSt/UUPylqWzj45JHCAT0iSNc693TNxgbvQpX2f9KUwuNwEGS+fwRkdZQSj1Pmu6QDBc DN4Cql9I6PJiAKnzCEAjQIg+WIK6rMy4qCvqgp9pNnIx/aQNz1GavKllf21Q== Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 1E81C690AD4 for ; Wed, 31 Dec 2025 19:01:03 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 31 Dec 2025 17:01:02 -0000 Message-ID: <176720046322.25.10456949762751493467@4457048688e7> Message-ID-Hash: 2ETDMV63L6J57YKJQUXM2KCBCTRYFTRA X-Message-ID-Hash: 2ETDMV63L6J57YKJQUXM2KCBCTRYFTRA X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] [5.1] avformat/img2dec: reject input images too big to fit into a single packet (PR #21341) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Timo Rothenpieler via ffmpeg-devel Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21341 opened by Timo Rothenpieler (BtbN) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21341 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21341.patch (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) >>From 7552712b153f0f600c0302ce5f1e6333a9f90929 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 31 Dec 2025 03:41:21 +0100 Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a single packet Not entirely sure if it should instead use some entirely different approach here, given that images exceeding 2GB don't seem that crazy to me, but so far processing such images results in a heap overflow, since the size addition overflows and a much too small packet is allocated and its size never checked again when writing into it. Fixes #YWH-PGM40646-32 (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) --- libavformat/img2dec.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index bd7910cd3a..4a58a250f4 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -413,8 +413,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) char filename_bytes[1024]; char *filename = filename_bytes; int i, res; - int size[3] = { 0 }, ret[3] = { 0 }; - AVIOContext *f[3] = { NULL }; + int ret[3] = { 0 }; + int64_t size[3] = { 0 }; + int64_t total_size; + AVIOContext *f[3] = { NULL }; AVCodecParameters *par = s1->streams[0]->codecpar; if (!s->is_pipe) { @@ -494,7 +496,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } } - res = av_new_packet(pkt, size[0] + size[1] + size[2]); + total_size = size[0]; + if (total_size > INT64_MAX - size[1]) + return AVERROR_INVALIDDATA; + total_size += size[1]; + if (total_size > INT64_MAX - size[2]) + return AVERROR_INVALIDDATA; + total_size += size[2]; + if (total_size > INT_MAX) + return AVERROR_INVALIDDATA; + + res = av_new_packet(pkt, total_size); if (res < 0) { goto fail; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org