From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id AFF2C4D177 for ; Tue, 13 Jan 2026 20:57:54 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'EaLw2HvNF3MazgvRdDvXUhpCaH5M1kI1te2q0g/L5mQ=', expected b'myYNs3OLYw8qoT2eyIm3LQf/4ojPgwKwhUQs6Ugq1Yk=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768337864; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=EaLw2HvNF3MazgvRdDvXUhpCaH5M1kI1te2q0g/L5mQ=; b=TRZMtcploaEslWGjqiCFKqtYcD90nqghutgwWuFmwD/5eay0+HXwBdPvluIPnb7/i2zs3 PUXpuTx9HIVozhvOeKRfYXjUqNJcQUiu8IT5a1K3dS8qBeLX1S/k9ZbgnET1bdkT+aGOAxh 0JHnQ9T7nwuAUW6lWjmh1Q0vYWcdaHINJv0u4YBG3KfbJ6Yc6JUiHSacdXKAXK26+ekRqy0 Gnxir3oue1mXeSFQjiaDR7gpuYquwUS1hD+qoeUnWLqKYooO7VbtHtf2KMdrxQjFbS7yv3I tiKMY85xyKOKgORZwgmhjz6enxl6GJj7Sic7l2Ny6hdnA/JaJFVTpV5DEGtQ== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id B6200690DFF; Tue, 13 Jan 2026 22:57:44 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768337848; b=ryQe7hDzOuh93mIh3bfu5iquqyB2iiOMaYlPX+pUFATrGAcIvPpWb3PDhDo1JEZLEFpfH wpbNqiZ3ZdBqQMXOUxVg+6GILbWicx54kWhFgv65HKpN0pS9ytw4HaEX8hiehepXCE/bMXX XVIx9mV8tmdXJ6qwVaABofrpg6BJCQrf7O8FZ+yyQA9SY6OpS00EfV8mBjYZoDhRhr/bjvn gHy2C8iiB7ta6o0+1vBwaFGZV++pP5pAfBgwCbu40CErm6umWNgfB9ESDStopNLfRLPbgsU Vna8Pgis88i2TtFoRZ6u+raS8mjzE8cPQw+HoH9tBI+yJ75cf07IXTCl2DCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1768337848; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=ikQf/Rg6BlrzvfAG0USgcFjCD2jLaONVYGzCdZv9Og8=; b=cNWXLT2kPeMKmRDYXXjCNAlOo/0NWtN6EJ9LAKJ17pqhAXCQ0ljwZPhFwdrRMCjmSyxNm DHIyoJoCDXDmS4niuHz7YO578bx+RQSb3dVokbrcT85ZqzB05vIM7snxjJv0uFNvZTMBauk PMSUqGFNGeldgDdh7IhzfjYblZ+UsoCX/0d9efQQmxG3coG0ziEEqbsJcZhi7Y+dUh8WAMT rIFX9lavkN8o7iS4b2+mi4hkUy/sHnh2JfmHocYl3rpdd+uhRsSj29gitoELxXlwDBHB8bi dH443sJ9YZVUwZcNoKZ6YcSB5tgZIgT3crLkC+zKQW+LkS1lXFsvd9TIYQBA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768337841; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=myYNs3OLYw8qoT2eyIm3LQf/4ojPgwKwhUQs6Ugq1Yk=; b=YYwpWE4C8JEjAlQlo8iiONI+QaTKEBL+hAijE8/4pI9BxEJe44kKQ6sziTuFLnldqnL25 WvCvHV736+Xoh88vMGGi3e7/VrrrRfrhOL5Y32q41NRubHBkocwwLPIpCOrodLKJA/hzbLH 3URfTfKVfiD0Grvyo7UfW8JtuRuu/kQLiM/9djlAYzmdnmGZRPYG5gwC+/9qxQ5fnLwg0kx GVt8zfM7NBLEskIxYicF99blFk4ExQSboHkXAaPWLnX5+w+HaxloUJjoxRzNTxAHYYses/8 nPsrsSuztTh4BuPkFCvx1PgSKtPNWWjAEWhdFStl8N4NPq+eCgcV4F+XWUdg== Received: from f7c34508609e (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 9FE8068C02C for ; Tue, 13 Jan 2026 22:57:21 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Tue, 13 Jan 2026 20:57:21 -0000 Message-ID: <176833784183.25.1373043857057004856@4457048688e7> Message-ID-Hash: ZN6HMBZRRG37PMGUTUWKM5WAIZZ6QLDR X-Message-ID-Hash: ZN6HMBZRRG37PMGUTUWKM5WAIZZ6QLDR X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avcodec/sanm: fix BL16 c1/7 source overread (PR #21453) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Manuel Lauss via ffmpeg-devel Cc: Manuel Lauss Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21453 opened by Manuel Lauss (mlauss2) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21453 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21453.patch Fix the required size calculation to avoid a source buffer overread. Reported-by: Ruikai Peng Signed-off-by: Manuel Lauss >>From 18eb00a038567709d31160d80701ad8915818bdc Mon Sep 17 00:00:00 2001 From: Manuel Lauss Date: Tue, 13 Jan 2026 21:21:42 +0100 Subject: [PATCH] avcodec/sanm: fix BL16 c1/7 source overread Fix the required size calculation. Reported-by: Ruikai Peng Signed-off-by: Manuel Lauss --- libavcodec/sanm.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 771ecf8246..fc07ec659c 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -2272,15 +2272,15 @@ static inline uint16_t bl16_c1_avg_col(uint16_t c1, uint16_t c2) */ static int bl16_decode_1(SANMVideoContext *ctx) { - uint16_t hh, hw, c1, c2, *dst1, *dst2; - - if (bytestream2_get_bytes_left(&ctx->gb) < ((ctx->width * ctx->height) / 2)) - return AVERROR_INVALIDDATA; + uint16_t hh, hw, hw1, c1, c2, *dst1, *dst2; hh = (ctx->height + 1) >> 1; + hw1 = (ctx->width - 1) >> 1; + if (!hw1 || (bytestream2_get_bytes_left(&ctx->gb) < (hh * hw1 * 2))) + return AVERROR_INVALIDDATA; dst1 = (uint16_t *)ctx->frm0 + ctx->pitch; /* start with line 1 */ while (hh--) { - hw = (ctx->width - 1) >> 1; + hw = hw1; c1 = bytestream2_get_le16u(&ctx->gb); dst1[0] = c1; dst1[1] = c1; @@ -2599,15 +2599,15 @@ static int bl16_decode_6(SANMVideoContext *ctx) */ static int bl16_decode_7(SANMVideoContext *ctx) { - uint16_t hh, hw, c1, c2, *dst1, *dst2; - - if (bytestream2_get_bytes_left(&ctx->gb) < ((ctx->width * ctx->height) / 4)) - return AVERROR_INVALIDDATA; + uint16_t hh, hw, hw1, c1, c2, *dst1, *dst2; hh = (ctx->height + 1) >> 1; + hw1 = (ctx->width - 1) >> 1; + if (!hw1 || (bytestream2_get_bytes_left(&ctx->gb) < (hh * hw1))) + return AVERROR_INVALIDDATA; dst1 = (uint16_t *)ctx->frm0 + ctx->pitch; /* start with line 1 */ while (hh--) { - hw = (ctx->width - 1) >> 1; + hw = hw1; c1 = ctx->codebook[bytestream2_get_byteu(&ctx->gb)]; dst1[0] = c1; /* leftmost 2 pixels of a row are identical */ dst1[1] = c1; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org