From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 04DD24DB9C for ; Wed, 31 Dec 2025 17:04:32 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'EsmNsG2Zib1yWBjqweNAY9Lexj/vEHmpQEvwtrhXrvA=', expected b'7BOAoTS8zK1Zxwfn4KDKorA1ATgorgsUYJZLb23awkc=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200669; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=EsmNsG2Zib1yWBjqweNAY9Lexj/vEHmpQEvwtrhXrvA=; b=1dhMsTm3+gaZ3fwk9FgFU8QxLjYMFtKyUJNFDkClYZnxPU80rqFHJ6o7dEqu9Iuq/P4va ElvlUEqrxfPkw+F2BB4bwmM/3mIaZTjRxXGIMdaRBJCzUK9BUkj6zfTfxymxtrwVdBRPQqe 5rPm/dlnHX/n+W4sdxW7jjc7Jd8CR6WRihl8/Y6kj1tsV21TycI6nxup/llbxAEwt3yTP2P jZrFcqpJzzPRqQdz5xoqtI0ZgEAAqaa5DpXjXz7X+aM/b5RoZFJa2mJNXNdQTcinr+p0CKv 1S8iOk7BdX5TmJrpD2X1//3rJpdZnwDIie3qyI/3fyFbBuHusY1zZ5XrpTpg== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 79663690C63; Wed, 31 Dec 2025 19:04:29 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767200663; b=Gy96jfsfDQNqZnNHV6m55Ykzt/QoU/ywX1Wmlv05Ye3s2PSvAdKaF5Lp+JB0jEPjlQE9X 6+nqsX/WXwb/Y/gaoS0jq2nkYFQUDHratm7Qwhu9DHHDGSJIAFiiGOSHWfY5HIP3DA6KsJt HdaUUXekE31ngWK0JU2STtxf2jVoZ9CjRqGS4ff/brmAlNNjuvJEZSZIB9jk5J4u84uiPcg NuBDEK8PTirdsRO5n1XxZNEwuSWeTK0A6WYjHQZ+zi312bHtV5Ue1yirSMHMWtxgQUahSqT SBClNtSI4eSf0QF/YFHR6raYNwD658KDuPsZzCuxbN9R0E8xqGLhMEBEpnvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767200663; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=b8zFy1TpPipibGp4UsgfjRJKXL4usft2LegAwGdrz6Q=; b=YiKtIZ8VK6AxtTzKCIzoGHfXyg+STzCGfAtFR2XtpV99xVn+45mzZF5hGHn0BwtX/BSEf GoY+0RLWJGD5a4h5g0iyffS7qys7FP7beGhJE2AFF3bwKUnUoNFslgvG2rK+ys0+gIinp2a KNsPYbjG862K6wtevIOoB56QvgdjHqyvSIgUzf6ku+73PXGWgatHCjHMDzrbfwetP7Er8fC 1WufjwMBNA93QP1GsCutA0SQTDTtDR+zVPWX/xQU7uVDnr0BXCJXVgO2+bFlrlBtnumUF7r q+L3UH2qvyphaLsNn6TrZpiJ0p4VJjMs8yVymxWZVOjBPFbW2soSbFo5u7xw== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767200655; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=7BOAoTS8zK1Zxwfn4KDKorA1ATgorgsUYJZLb23awkc=; b=vHQnrfmXjtUiOtdDkEPeosuOlOW3sTa8p7RT6J93fET5sAu4om5MnWlRsbYmy7qEcdGxv IROJUBvsvAyRRUmxZiyN3Uprrhn7UV3YK2GsWjQry6fNbQNr3nD7HbJcEmxXJac2wETwUPx TwkzziP9jC46MAWubQwA1WF3if+jiTtE2ba/kYfl8guFMRdnOcKITy3f4Hm2PtnLQWkxfpN p4qEkR8DgyjAEGbVF/59Pl5qD87b1M78HfDIjCCQhWys0eU3YvQr6UzsihcSZSFFuIeD2Ph DivRIS2fmBALesXUU2QGvrlhrGfSDFCtOBNYXoL+BKfRf3Oa50E4K2kHfc7Q== Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 412FE6909C5 for ; Wed, 31 Dec 2025 19:04:15 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 31 Dec 2025 17:04:14 -0000 Message-ID: <176720065540.25.13760816052854460499@4457048688e7> Message-ID-Hash: 4RKQXCBOLMRBLOASAKMLPXBYCSUMNC6N X-Message-ID-Hash: 4RKQXCBOLMRBLOASAKMLPXBYCSUMNC6N X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] [4.3] avformat/img2dec: reject input images too big to fit into a single packet (PR #21344) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Timo Rothenpieler via ffmpeg-devel Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21344 opened by Timo Rothenpieler (BtbN) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21344 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21344.patch (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) >>From 89b4e464dc8adf5a596738fe339b6d08b20fcf08 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 31 Dec 2025 03:41:21 +0100 Subject: [PATCH] avformat/img2dec: reject input images too big to fit into a single packet Not entirely sure if it should instead use some entirely different approach here, given that images exceeding 2GB don't seem that crazy to me, but so far processing such images results in a heap overflow, since the size addition overflows and a much too small packet is allocated and its size never checked again when writing into it. Fixes #YWH-PGM40646-32 (cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8) --- libavformat/img2dec.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 7d173d8030..9f42dfdbb0 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -406,8 +406,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) char filename_bytes[1024]; char *filename = filename_bytes; int i, res; - int size[3] = { 0 }, ret[3] = { 0 }; - AVIOContext *f[3] = { NULL }; + int ret[3] = { 0 }; + int64_t size[3] = { 0 }; + int64_t total_size; + AVIOContext *f[3] = { NULL }; AVCodecParameters *par = s1->streams[0]->codecpar; if (!s->is_pipe) { @@ -487,7 +489,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } } - res = av_new_packet(pkt, size[0] + size[1] + size[2]); + total_size = size[0]; + if (total_size > INT64_MAX - size[1]) + return AVERROR_INVALIDDATA; + total_size += size[1]; + if (total_size > INT64_MAX - size[2]) + return AVERROR_INVALIDDATA; + total_size += size[2]; + if (total_size > INT_MAX) + return AVERROR_INVALIDDATA; + + res = av_new_packet(pkt, total_size); if (res < 0) { goto fail; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org