From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 0469D4DD98 for ; Wed, 7 Jan 2026 01:29:58 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'QRNrIQYecwhI/6Mskn/qFvkcuhqJwwKxUGLeU1HIJOI=', expected b'Xv5yHJnw3QTEb+WuJkgTnginn+v2np2tEZrIUKgsVF8=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767749380; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=QRNrIQYecwhI/6Mskn/qFvkcuhqJwwKxUGLeU1HIJOI=; b=xl+NPTDDretgNt9T16uZFlc421Uuk1unjc+ih1VMHqoTleU5EvsEevr1tHwUka/e8oRWs kUohW3hHdk4ES8l+62NQfKoGOF5UKkY8LErJxrBS6H2J+Ufcpf5S/omkfFLjBs89QT5b/kj Qr1R1ANcYkN6+EgvVRWXiNJyC/H6CvRijZxEtSQLU3b0mvBcFbMgdEt1Vopypc9QR3v8QSi bkt6uW4UaWo9L9EH6kdp8WgV33CaxqBqnvNWgXIzvPUQwQqo5zWJrV7liogTyVCyOxx8L6e jNJBucqi8Et4umpLmsFq5kZOqI01pB3n0AxvEbsg09gkoy46sVAmkHILGq+w== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 75A02690D72; Wed, 7 Jan 2026 03:29:40 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767749356; b=KqlUaDYaNQsItWwtrH9ah6Idc/6VIt6PHj8PCqOdupqNfhIK2OaFOXhn9U6Oh/vhHA7zB uk7/EuSWQG3JfkZlnbnw2NBNGk3Beryqqn+hjPXpixU3od2Oh0wSfo99JNsfcYniE9KPYZ3 Ho/VEcPmLSthhsBDBOyReEiYOXdq+6Jtr40eNkAR8szgmEQh4XGJCvcw5W2hInp4bmeeiNP SirAmMX1jGsBc41GHyOjX68CbTfMdQ/w25L0yJLE4MhdTbLdFmIJSwApf9+KMw7JXG5Clz3 7y9hJ08sZYxn7nQ0sJNWx2AFepQhHKUJoOVY7+jK/SX5SYDBewwEIuVkeL4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767749356; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=hH41qR0zBAfUjnsg2s2cwZzSRme83LmP6M2FMWCN7xE=; b=RheNOEBIO3g3llrBQfwtXUwh1hPuAxOAzHop7tGUeSK8POPIudTpFzlmONxE73O45o1k1 rLtRb4pn4Pem3iaay41Ok0PWupTXyOIVYsAYR+BUTtlFPvBSmULQ/MnpguHbohgpSgnUvY9 nJfMU7k+hpVCyr5tX0SoQCw92GKfRAK5zTMtRkPKiAnYhjNWuwet6RASnFwlKeu8reLNdQj DzxGbYuV/7cCHLGNsYzmr+jF6hHzqaRTuFR6NsGVOPx/90vXHp8JwTOgIzcqGqAY+vTOV3/ 20dkB8R/9uilML2bvO1W83m205oUY6NDh0rfr8aOGYYQQLOvCOG8t6tK/m+g== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767749347; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=Xv5yHJnw3QTEb+WuJkgTnginn+v2np2tEZrIUKgsVF8=; b=CKfTPUpJ99EZrrgC9L7Sdt70Tqq1UZnGtE0cDyCUy2j8mQ+gN97RBOFeT7ufggJsyB1Cp P99mAqswooNVyMBepF/1lHm1qP6HJ6/4SuDjSjBwZm3ZsylfjajbAF1M0FqI0pKF1Sg9l6s MIvwLIu0kS/mxsle5Z4ZFXFthXN0pvLeeESWkbyvToZajLGnX2gxJ0DJcCAIHIfNBDvGf3J uCkY5rYeND58Kqoo3aRHLnB4roAekblAjL7EYRahA+KAy7EY47azZqL+x5QztLWIhUwpomp bV4tE1Fen0aXWKZxaYRyYIn3L6LpczCXJeMujL4vg2bYDLsCuqInRdeu2Ytg== Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 42A2C68FCCD for ; Wed, 7 Jan 2026 03:29:07 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 07 Jan 2026 01:29:06 -0000 Message-ID: <176774934741.25.11404351629046172013@4457048688e7> Message-ID-Hash: HWYLAB2EY7VQ27K7NULG633RVJN4A26N X-Message-ID-Hash: HWYLAB2EY7VQ27K7NULG633RVJN4A26N X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avcodec/mjpegdec: avoid negative len in APP parser (PR #21401) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: ruikai via ffmpeg-devel Cc: ruikai Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21401 opened by ruikai URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21401 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21401.patch The APP parser can read a fixed number of bytes without checking len, making len negative and passing it to bytestream2_skipu(), which takes an unsigned size. This can advance the buffer by a huge amount and results in undefined behavior. Add small len guards in the fixed-size AVI1/LJIF paths and only skip the tail if len > 0. >>From 78b4d1317d48d4c94994a961fe47b62463304da0 Mon Sep 17 00:00:00 2001 From: retr0reg Date: Tue, 6 Jan 2026 20:27:21 -0500 Subject: [PATCH] avcodec/mjpegdec: avoid negative len in APP parser The APP parser can read a fixed number of bytes without checking len, making len negative and passing it to bytestream2_skipu(), which takes an unsigned size. This can advance the buffer by a huge amount and results in undefined behavior. Add small len guards in the fixed-size AVI1/LJIF paths and only skip the tail if len > 0. --- libavcodec/mjpegdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 417cedae4a..092bc3c2ff 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1905,6 +1905,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) 4bytes field_size_less_padding */ s->buggy_avid = 1; + if (len < 1) + goto out; i = bytestream2_get_byteu(&s->gB); len--; av_log(s->avctx, AV_LOG_DEBUG, "polarity %d\n", i); goto out; @@ -1969,6 +1971,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); + if (len < 9) + goto out; bytestream2_skipu(&s->gB, 2); /* version ? */ bytestream2_skipu(&s->gB, 2); /* unknown always 0? */ bytestream2_skipu(&s->gB, 2); /* unknown always 0? */ @@ -2163,7 +2167,7 @@ out: if (len < 0) av_log(s->avctx, AV_LOG_ERROR, "mjpeg: error, decode_app parser read over the end\n"); - if (len) + if (len > 0) bytestream2_skipu(&s->gB, len); return 0; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org