From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 5A0754DB8C
	for <ffmpegdev@gitmailbox.com>; Wed, 31 Dec 2025 17:02:15 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'BArRZK25hlLBUYcSTeO3nlqiJ4YfTkfPDY8FyHhWWMY=', expected 
   b'RZZWYZuPcIG4ux1HfPe/LjtEBr/iffy4cg+UUDxlLqI=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200530; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=BArRZK25hlLBUYcSTeO3nlqiJ4YfTkfPDY8FyHhWWMY=;
 b=clG8U66X4WTh+lOSDP6f389CGEiQ/YWXYbSctMcbuP9wk0hSXhDwY5QTyRECyOXc9dRB1
 faqM6fnDAUky1wQ23bpTFp9WjZJO3/nMDNrjjvHb1rqpI9bmBp3K1+Xaw2wRQ6i12blB3Kx
 iiNKO5/YXpBg7qMEQ8UlA/QwFhL01CGiMk+gKkSePFmiDP0TUNF1uvLWdVZMWcitwD6Le7U
 ypiu0aj0RSBZB9H56tn9yzAosBAhGQFWR6VRI2wjGUtMbjXZeorFP13zhv8n4gO1lTwb6x8
 CL9WaM9yf2vQnkBnAWFc3OXEFMe2IqPVnMYZVpuDuncINO+pNlASpscaKf/w==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id C0CDE690C55;
	Wed, 31 Dec 2025 19:02:10 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767200524;
 b=pu1+utdccVY9LfzTxRPL4u5pDv/Mxvycq0yFYJyRyBLiseio3EqxTscFM3X941ye00qbR
 R7UVXL3qU+gDN2p0Nj/6obXlbBoelGRtjEStKaBB/BI0INUaUHI35zSt3kzUh+TJ2+y++4C
 Bo03MUctzG6o/vraGnZbbv288N0Vlvvk7rdxr30Kq3pyTQpcMK082PPjLBEgjMQx7t4OndY
 reP/DynZXv0H/snVSpEmbL3fad90+8YYic+AbfzRTrweKmyTz8E1hupTWK0BkEUxUpQlZ2K
 uK9A2dL2xKbcfEywFwhYA6VRlMQAC8LXbupxmsjdPvomMptimsQ6g+q2ZPfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1767200524; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=Cl2/QkNNK7R6Ms8d4j3J57ANUrqqju6eWdQ5UTBbimI=;
 b=TK/HBvKihZaGISvA0+ZwLq5QED+jr74AZa6sUh8KuQYohvhPsoSBecmlPJ40/m0EXzG9O
 Ee1HJ/P+3st7cPihl4TjNGS80MzY3WGdSf7s7TVQ0mBofU2Lmy7x5U4Y4hLCQh7lJtXWPG5
 /3nk7dYFNbCHEZCpjWgi8bhc//o7hFTGvOO4d3Vx6Xbf1pULjAvpshFOtJXM2zuFhzBGu4O
 yx1eA4iHXQP5/pROq3bbNsE5UUusYBtyMQuosS7A125lDS3dfsPfP4+5WlrCN6ieK/zS1Sl
 Fgbn0lIfEDvFDUZPPwQLKbd8EtzmfQ5Mf0e+RPJcnGt1amQITFWu24wmY4/Q==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200517; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=RZZWYZuPcIG4ux1HfPe/LjtEBr/iffy4cg+UUDxlLqI=;
 b=IUwLIOzjItBDeExaIywZwzOr5vW8FXfkgaNm1cupmw/yqJDvf2OsiUnlmIeOT9jCoQ087
 iVt86YdRGDkzBYmttZpd6kwkJr8MXNMZlk4JkPyLhCLZOh0leQzN/gRTVth/SjDQosqD9hF
 BrGlgZXS/NgxeMAx1KIyG+uP0SqHuCz33YyeDQbIQ0/ZGp40Kj40q3Vf26hpPVp24UEeMGA
 Gv3PZzIMKcouBM7pz+mWjjqUgxon3jHIoiEav9EJ6rG/FD7w12NbEt82FMsk5OE1vhYBzsb
 YPgW1v9zQWq/FGWqn8HHj0ktvMaf6MMEULm2ZnGsMOTm8qFP4xGM2V8rqwhw==
Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 7B8476909E9
	for <ffmpeg-devel@ffmpeg.org>; Wed, 31 Dec 2025 19:01:57 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 31 Dec 2025 17:01:57 -0000
Message-ID: <176720051762.25.4987968761126715267@4457048688e7>
Message-ID-Hash: 73PL734HXRDA5MDWJQNGHBGU6JHU76A4
X-Message-ID-Hash: 73PL734HXRDA5MDWJQNGHBGU6JHU76A4
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] [5.0] avformat/img2dec: reject input images too big to fit
 into a single packet (PR #21342)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/73PL734HXRDA5MDWJQNGHBGU6JHU76A4/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176720051762.25.4987968761126715267@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: Timo Rothenpieler via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: Timo Rothenpieler <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176720051762.25.4987968761126715267@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21342 opened by Timo Rothenpieler (BtbN)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21342
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21342.patch

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)


>>From 581c1fa957afb536b7ff3785354d0341b98c123d Mon Sep 17 00:00:00 2001
From: Timo Rothenpieler <timo@rothenpieler.org>
Date: Wed, 31 Dec 2025 03:41:21 +0100
Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a
 single packet

Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.

Fixes #YWH-PGM40646-32

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)
---
 libavformat/img2dec.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c
index a6084ceef0..57c99ff79f 100644
--- a/libavformat/img2dec.c
+++ b/libavformat/img2dec.c
@@ -408,8 +408,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
     char filename_bytes[1024];
     char *filename = filename_bytes;
     int i, res;
-    int size[3]           = { 0 }, ret[3] = { 0 };
-    AVIOContext *f[3]     = { NULL };
+    int ret[3] = { 0 };
+    int64_t size[3] = { 0 };
+    int64_t total_size;
+    AVIOContext *f[3] = { NULL };
     AVCodecParameters *par = s1->streams[0]->codecpar;
 
     if (!s->is_pipe) {
@@ -489,7 +491,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
         }
     }
 
-    res = av_new_packet(pkt, size[0] + size[1] + size[2]);
+    total_size = size[0];
+    if (total_size > INT64_MAX - size[1])
+        return AVERROR_INVALIDDATA;
+    total_size += size[1];
+    if (total_size > INT64_MAX - size[2])
+        return AVERROR_INVALIDDATA;
+    total_size += size[2];
+    if (total_size > INT_MAX)
+        return AVERROR_INVALIDDATA;
+
+    res = av_new_packet(pkt, total_size);
     if (res < 0) {
         goto fail;
     }
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org