From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 0674D4DB89 for ; Wed, 31 Dec 2025 17:03:33 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'pQHqrFMO8ISkhwvvmAzS131ZZWHmFRx5aaiG4S2Fd7w=', expected b'G3xOBVypdS0k+GPXo61BaOz/YtN7dQqjikX/9sQMnwU=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200609; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=pQHqrFMO8ISkhwvvmAzS131ZZWHmFRx5aaiG4S2Fd7w=; b=kG4iWXSRXFbXDCB3957q8Pqlfj/s10CLWgvU7gKO9tkq+Jvk4XiHERB3LlV9lBlvPgSlw NEQJLc/zXFu1TytWPmUp4v0Gxwm6Rc8R+Uw257hkryePTmwD2GP7aRxsqYcbqZYwk4Elj3V A3kqdlDlVqwpI6YCFA/LHnwOOcCHLIFN9aJogDx7gRFPDF4MrTxaGQGuhujAJEvb7AigP5s 8DnUa/MQO+/SI7IKWYFsTy2jrnRiS07WHGGlZC+JxQSIRMgTV3REMUlXFMOZsEClaZlevz7 TOgDVZUSzj2GVjSopv5doaAf+qbvwKHUjlKoNsvAtiPaOuc/SYtQN0IZmMMQ== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 8AF98690C5A; Wed, 31 Dec 2025 19:03:29 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767200602; b=Y5FViBsC11f9VzEokWwmFqzo3pZqNyXux1H+QyDnvikrVUHLJeeF0TFkBg73lh4/5ring Z4ulej9QmAmMc/AKhkZ1uCBD6EFR0cCcbnzXemXGj2MNTCgGcyOwiGVHO5tPD4cm3xmUkXX YuNiFxCrAbIhPg++QbszmyF3cVxuiNlAsctU26zCUXfp6LYPRuNrbvWffNGUYPT4Vaql3Sc SpCe8mw0zBFZrTLJE69r5oWrydYNe8N8R+O6Z0PqwFIdcNixsd11tlQ0GhR0O8fLnKU8wIl ypJ0b2HNGrCJ5EkwkVpli1KkwFRKmoKGTde1uYASkSrq1xC2gqKwq9vopS8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767200602; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=SixhWtXM5tkVLh6RWCzpB52wfMYKbTmH/Ay+q3J7L5Q=; b=Cckwjo9g6rEMy5Dvj+pn+EZ6uxQS3wC1fZCVmhID7C2aX5b11plaMnfMzNQsaDO8AO9U+ bDCA5hVaekVTiZJG53vSdKZL/2qw+uMV5ZrV2ZgVniNwocUFEnHy4ot5SVlJY0S3jz+yTod vJDiP/0aYSDZPewPx14os8Q6EkhkuktHkbyKoEINbc6jFJ/RNmdwM6ok30VMBFfddRqRxmC Wh/1zR0QgVMJOC94mJEdR71LRwI8hYfF5MnqNcBeTxMi7xLc1R/jZbvAzV0ACx6ini/ymyq LPAknGcJxk3P5C9X01dkejV6MgYZ8EIkGkdu1RfovzdHuMUqRmLi+5uZk3ZQ== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200595; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=G3xOBVypdS0k+GPXo61BaOz/YtN7dQqjikX/9sQMnwU=; b=3bL7DMgElQ/sp9p6c26j2NBuJNkbfYvKU6baqmDxkxT7UHpRYbWBVVySiVI4MvPXdp0KE XTKo7H3K/dCjGsakoELPm1jA88CI+GnZ36CyXO5/dpCHa+UgiCuP49TFyMdh/Vq/G/UWW1+ AAiPUeeRYoHRVW27W1wfS2+tYUqCV3WnCY76O5PNuU6mrBBjGCJxDmcTX4TOCK3UCR6V4Ca tAfUhr8NkJg+k+GCJmzMLlDyMbhRjNhQefxVg6uH/DFhl5qAmXzXduE5Tges7WI705xw39C 7jn9DYxy+ogkgydJBivBnkzBPR40gIZNPsL/aCAQdJVQ8/rPgWze5LXZIi4A== Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id C26FD6909C5 for ; Wed, 31 Dec 2025 19:03:15 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 31 Dec 2025 17:03:15 -0000 Message-ID: <176720059591.25.10952846570070651838@4457048688e7> Message-ID-Hash: XSZD4WU2PHQUSLS6JGOTEV7O7RRM4MZA X-Message-ID-Hash: XSZD4WU2PHQUSLS6JGOTEV7O7RRM4MZA X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] [4.4] avformat/img2dec: reject input images too big to fit into a single packet (PR #21343) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Timo Rothenpieler via ffmpeg-devel Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21343 opened by Timo Rothenpieler (BtbN) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21343 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21343.patch (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) >>From 1b8d871168596bfd815f26ebf7ed5a0696893027 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 31 Dec 2025 03:41:21 +0100 Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a single packet Not entirely sure if it should instead use some entirely different approach here, given that images exceeding 2GB don't seem that crazy to me, but so far processing such images results in a heap overflow, since the size addition overflows and a much too small packet is allocated and its size never checked again when writing into it. Fixes #YWH-PGM40646-32 (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) --- libavformat/img2dec.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index e4cf1f6b7a..4ef0309aec 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -409,8 +409,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) char filename_bytes[1024]; char *filename = filename_bytes; int i, res; - int size[3] = { 0 }, ret[3] = { 0 }; - AVIOContext *f[3] = { NULL }; + int ret[3] = { 0 }; + int64_t size[3] = { 0 }; + int64_t total_size; + AVIOContext *f[3] = { NULL }; AVCodecParameters *par = s1->streams[0]->codecpar; if (!s->is_pipe) { @@ -490,7 +492,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } } - res = av_new_packet(pkt, size[0] + size[1] + size[2]); + total_size = size[0]; + if (total_size > INT64_MAX - size[1]) + return AVERROR_INVALIDDATA; + total_size += size[1]; + if (total_size > INT64_MAX - size[2]) + return AVERROR_INVALIDDATA; + total_size += size[2]; + if (total_size > INT_MAX) + return AVERROR_INVALIDDATA; + + res = av_new_packet(pkt, total_size); if (res < 0) { goto fail; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org