From: ruikai via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: ruikai <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avcodec/mjpegdec: avoid negative len in APP parser (PR #21401)
Date: Wed, 07 Jan 2026 01:29:06 -0000
Message-ID: <176774934741.25.11404351629046172013@4457048688e7> (raw)
PR #21401 opened by ruikai
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21401
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21401.patch
The APP parser can read a fixed number of bytes without checking len,
making len negative and passing it to bytestream2_skipu(), which takes
an unsigned size. This can advance the buffer by a huge amount and
results in undefined behavior.
Add small len guards in the fixed-size AVI1/LJIF paths and only skip
the tail if len > 0.
>From 78b4d1317d48d4c94994a961fe47b62463304da0 Mon Sep 17 00:00:00 2001
From: retr0reg <retr0@retr0.blog>
Date: Tue, 6 Jan 2026 20:27:21 -0500
Subject: [PATCH] avcodec/mjpegdec: avoid negative len in APP parser
The APP parser can read a fixed number of bytes without checking len,
making len negative and passing it to bytestream2_skipu(), which takes
an unsigned size. This can advance the buffer by a huge amount and
results in undefined behavior.
Add small len guards in the fixed-size AVI1/LJIF paths and only skip
the tail if len > 0.
---
libavcodec/mjpegdec.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 417cedae4a..092bc3c2ff 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1905,6 +1905,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
4bytes field_size_less_padding
*/
s->buggy_avid = 1;
+ if (len < 1)
+ goto out;
i = bytestream2_get_byteu(&s->gB); len--;
av_log(s->avctx, AV_LOG_DEBUG, "polarity %d\n", i);
goto out;
@@ -1969,6 +1971,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
if (s->avctx->debug & FF_DEBUG_PICT_INFO)
av_log(s->avctx, AV_LOG_INFO,
"Pegasus lossless jpeg header found\n");
+ if (len < 9)
+ goto out;
bytestream2_skipu(&s->gB, 2); /* version ? */
bytestream2_skipu(&s->gB, 2); /* unknown always 0? */
bytestream2_skipu(&s->gB, 2); /* unknown always 0? */
@@ -2163,7 +2167,7 @@ out:
if (len < 0)
av_log(s->avctx, AV_LOG_ERROR,
"mjpeg: error, decode_app parser read over the end\n");
- if (len)
+ if (len > 0)
bytestream2_skipu(&s->gB, len);
return 0;
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2026-01-07 1:29 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=176774934741.25.11404351629046172013@4457048688e7 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git