From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 4E4A74DFF8 for ; Sun, 11 Jan 2026 02:16:00 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'g1jzYmm+8aW73a639+XF5KpKJs9cV+cMeKc2A+Zp1Pc=', expected b'PnxTW5QJVqUmQsWQ1Xsp4J8J8NjrHj2WAzK2Y6z4a6c=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768097747; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=g1jzYmm+8aW73a639+XF5KpKJs9cV+cMeKc2A+Zp1Pc=; b=F2sJDxdtgd+B5u/W0hG0GJhpzYf6HnENhTFk6jsC2X9Cdg8a6D//e/avXHSMPuv9fsP8M ycJmLeNfJoSlof4n51HCE9qMZRHuR0A9R5MQUQx7zQVE6F5OkUxx4ojzzU/tV1RO5LxNk3d 4lt40nHzkf5nei8ZxPFeacv5j/2liJEQ5SwurdjhyLe9PpCf3yXtrLLvIwoxo+LD3aOVRXw AFB3uYbqizM8y6cY6GqTwQAKPUwSsuh8BJ/ticlgRcMQew//us1wiRJToBVqh7+5iiPwyTH oLgC8zCCziDOCKoBQye6WudRhcJNnmuBglZnMEXFsHuTY8m/YtSVccH7fA8A== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id E9274690D82; Sun, 11 Jan 2026 04:15:47 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768097733; b=XR2cJ5osM44HB0FSMezAhvJDpDSk5lW/oPDYLOBmiSg7edP8ZtWLnlTCfMNc1841ITn6V 9BU12QleMS0qAvPn4oxb5SwZkaASJp/c50R5BICfP1eshbhCuc5aYLlK9MJWvBOmUcMMKgJ UoxrhVsl4R4vqKI5dhqM5F9UzRTtgpQUH2lSxnPUjPYoqlf3KiU4CUWusYfspqm4DG1USfB FM40z9fwvuGzarExhCOWBtTUuCTZxnd02K26pGSLw8dxSAjjRjb2LL+1iKPJ/8JCDDfPFwg p8lv84s4IwHtOQU+FX/tuMRo2aNJiypk77TjX1xc+STUjGWWoaWhANowVtmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1768097733; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=VG4NadR/j/9k1fh8lj1za9zX+uCv8Q4tqqFThh63yBQ=; b=V04cOm63J1/WcCWlAcSEwz4kMpKZ8f41rX0xqlCy7lJgytx95sq8SQdLkylRU0d8XKmMt j/RMgmVhWe3lYI0SUrs7tCyPB8A9h/4VKfuLD0eXp9LfbtwKIIJ0E22H1qMx3+BvvYcg8m2 rWltvlOxt0/9hidWpAtDzbpwvA+zq3u7lleycIM+QUzSFvFxyRCoS0uOHL2UWGWwfSxJMZm I6TEbYE1wesjH/EkN7De2XflusddozYTtjrt0LrJclqdqU+nE13Hry/hJ7kTm0tLvg9YO+d I79LAio0pe1epBwYAjFeL1ZyzGIr75dq6FxHWdK7r0NoHLZc+Zh2TF/yWiuA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768097725; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=PnxTW5QJVqUmQsWQ1Xsp4J8J8NjrHj2WAzK2Y6z4a6c=; b=4prC+j0MxQ45zo/bO6K0VWsM+yRanP9DN4GrTXc3eM1PvXEHGsssrgkAPbLZ5YWGwp2QF K2BBa/GtOpiWuvhN1B2aMIqVTndnsv2AIAtBMq8pUlz0DFXDadWVQ2yCbkn7mo0r9FaDFBu bF4Cp5b2/LMAE9rToK61KkhzdXIFUEknSqE6/BQC7U6S5oZoLkzKVOLU4+WL5RQ8Ecm45IT IUcZ2FjuY0E3uj2sLtkeIB70NaMqcCGTdFaFOyCkUjX7X/1rhmdmvSRYntB2O/W9gcMGe67 DD2o2fVJJsPyRYvBLgqde2PXaRR4qFUSEBScaFaxXRQSk0Pt3O3NbUaRJ9Cg== Received: from f7c34508609e (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id BE3B3690D30 for ; Sun, 11 Jan 2026 04:15:25 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Sun, 11 Jan 2026 02:15:25 -0000 Message-ID: <176809772605.25.15981132594218299851@4457048688e7> Message-ID-Hash: 3Y2FCMCBZK57SDSQMTH6ZCCV7SEM52PE X-Message-ID-Hash: 3Y2FCMCBZK57SDSQMTH6ZCCV7SEM52PE X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avcodec/sanm: fix OOB reads in bl16_decode_1() and bl16_decode_7() (PR #21430) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: ruikai via ffmpeg-devel Cc: ruikai Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21430 opened by ruikai URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21430 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21430.patch bl16_decode_1() and bl16_decode_7() uses unchecked read bytestream2_get_le16u / bytestream2_get_byteu read but only validate (width*height)/2 or (width*height)/4 bytes. The actual number of samples read is hh * hw, where hh = (height + 1) >> 1 and hw = (width - 1) >> 1. Fix by checking the actual consumption (hh * (width - 1) >> 1) * {2, 1} bytes before decoding. keep hw as is since it's used for the loop condition. >>From 0dccbd100729d2cfbe3f30fe619111adb80e9a87 Mon Sep 17 00:00:00 2001 From: Ruikai Peng Date: Sat, 10 Jan 2026 21:03:59 -0500 Subject: [PATCH] avcodec/sanm: fix OOB reads in bl16_decode_1() and bl16_decode_7() bl16_decode_1() and bl16_decode_7() uses unchecked read bytestream2_get_le16u / bytestream2_get_byteu read but only validate (width*height)/2 or (width*height)/4 bytes. The actual number of samples read is hh * hw, where hh = (height + 1) >> 1 and hw = (width - 1) >> 1. Fix by checking the actual consumption (hh * (width - 1) >> 1) * {2, 1} bytes before decoding. keep hw as is since it's used for the loop condition. --- libavcodec/sanm.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 771ecf8246..dca844a725 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -2274,10 +2274,9 @@ static int bl16_decode_1(SANMVideoContext *ctx) { uint16_t hh, hw, c1, c2, *dst1, *dst2; - if (bytestream2_get_bytes_left(&ctx->gb) < ((ctx->width * ctx->height) / 2)) - return AVERROR_INVALIDDATA; - hh = (ctx->height + 1) >> 1; + if (bytestream2_get_bytes_left(&ctx->gb) < 2 * hh * ((ctx->width - 1) >> 1)) + return AVERROR_INVALIDDATA; dst1 = (uint16_t *)ctx->frm0 + ctx->pitch; /* start with line 1 */ while (hh--) { hw = (ctx->width - 1) >> 1; @@ -2601,10 +2600,9 @@ static int bl16_decode_7(SANMVideoContext *ctx) { uint16_t hh, hw, c1, c2, *dst1, *dst2; - if (bytestream2_get_bytes_left(&ctx->gb) < ((ctx->width * ctx->height) / 4)) - return AVERROR_INVALIDDATA; - hh = (ctx->height + 1) >> 1; + if (bytestream2_get_bytes_left(&ctx->gb) < hh * ((ctx->width - 1) >> 1)) + return AVERROR_INVALIDDATA; dst1 = (uint16_t *)ctx->frm0 + ctx->pitch; /* start with line 1 */ while (hh--) { hw = (ctx->width - 1) >> 1; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org