From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id C5BE34EA23
	for <ffmpegdev@gitmailbox.com>; Wed, 11 Feb 2026 00:03:38 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'rP9xASFZnhh9v5Tc8HEredEkbDixuXtiDRQJ5i2+Lb8=', expected 
   b'K9pkMr2s1f2zBUu24Ahx2pWIavZFvPBFrxMafS+pf9s=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1770768215; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=rP9xASFZnhh9v5Tc8HEredEkbDixuXtiDRQJ5i2+Lb8=;
 b=U4bb/2+caQgRDQIBybXDgpSOJ0otnNhn1vvWz8Q6kAHlNQqIUzgxUaaXw5jmSkpS7VIQM
 /j/NuKozzJBd2nY9/MWTeocHXeR2cReLblGAnN/MH8/uWcgX0RwgoL6xYKvTGkJIKAB6lBW
 VQSi9qFjFclUY6aZuSYsMHyWLvjzSZ1jZT+80AdWcQhX0OTjmkir4w8hr3DxDxZXn77Lj4x
 HyGY4kujbsYN2KcvA8Vvz9NDji8ImAmy6boh4JP/0Ts6RkER5Jik5j4+LrfMFXDGUfynDv4
 hnZc+pJDYzOfog/gCeoMW8pE/C57lBkKhgP43cSenQ8CTQKDbZzix9fG/yIw==
Received: from [172.20.0.3] (unknown [172.20.0.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id EF73C6917C9;
	Wed, 11 Feb 2026 02:03:35 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1770768207;
 b=SnHWuaO9WPmHrDllM51d75td9UBnq3qgYy6dxdwl+HrpSuzbHK4XfoW59r+akn/dW+Bmb
 PhF4Z1wc7u26c1ZenU1BUWBwRi771hzsBz92nZWSHE4+Nsib9UDDNFRPneFxkT3BpSzRNoI
 +HIY06OG5eIBrhENrfSntmv9GOkgwzYGVxmLt1vsb6su5lT3GaiZOn1WNhBcvOvgHiFpxox
 jtDygvYYqIidAH5H7EoeKqZ8fwYt7HEkGCdfZW8hdc+8AWjjVpV4yRumS11G+Bi3Szycxau
 mbdo8dg4eHk0lZ0iBSLjTD6u3BuBplILm/7hpJjkCN0BAVJGlPrgIEEkTgRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1770768207; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=/4yUNT+xx0sDWTAZA0hSPFmypKxIVJ6YtFIwI2LRRgs=;
 b=uB7F5Oj+932fvSN72LwR7GW1kJvWHmc5LP8h2d465X0EW3UMOdexDGma0nWqJ0xgQfO4j
 68QXL8a1hP7rAvFSYvo0u/Fyw6Hpwp5MYyRxFXZhMXyiVnvblGi3Dm+ynpUfcTzjnBjtxXo
 7h19ICF9PDf5T1VHGYe/m6DrmIelMncpOzPO+wvru+SxyS2j9msYnL1Qao5mUSk+Q5I5PmV
 3ulEFA8VS0cmswA1w1jhTl5sgTqsym7Q9KTGApGke5p94oeJ06xaojDL1gZBtkKHzduwGJW
 1n6OY7ChXpVHxCvwoLV0ZzcbcCsz97xsBGisq7jfxAVmGhHsL0FHhxmQrtgg==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1770768199; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=K9pkMr2s1f2zBUu24Ahx2pWIavZFvPBFrxMafS+pf9s=;
 b=rPU7MkFdIWN4PSgzwUkdSGLjzcNXLSYbcCujiH09yLjIQA00q3M0rwjpPywMghCBXwX+v
 yq8NH1OBgKo+/dSzpSJgtnP4wjy3Pfg+IuJ58mc/ln6qwndJLdzhqAjawI3fGO/7NY4zZDq
 259Zm6IeAFnrSeUV4qoxHFmQHYcuw1JrUNpwJ0VjMfOcOoyvMHaEHFmC5GJhBZi0sdwdxVI
 IXz7vyOGgZ6skOj2ojQWgNyH9wfqYLRw4W1aF+n9L2xYBYAQC3TEgeT9Yf++BSW7wnUf7au
 On2C+1Dz7uTp2XY6fpxT4jpJjnOHyAnI3gzfb+laDC+IL26QkzB53+49Nqog==
Received: from c8d966988b92 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id ED3D16917BD
	for <ffmpeg-devel@ffmpeg.org>; Wed, 11 Feb 2026 02:03:18 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 11 Feb 2026 00:03:18 -0000
Message-ID: <177076819907.25.6343766453708544520@009cbcb3d8cd>
Message-ID-Hash: KHDOXTO2Q5YTFLVKBW2KZ5Y3CECCZLYK
X-Message-ID-Hash: KHDOXTO2Q5YTFLVKBW2KZ5Y3CECCZLYK
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avformat/cafdec: Check nb_entries in read_info_chunk() (PR
 #21729)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/KHDOXTO2Q5YTFLVKBW2KZ5Y3CECCZLYK/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/177076819907.25.6343766453708544520@009cbcb3d8cd/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: michaelni <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/177076819907.25.6343766453708544520@009cbcb3d8cd/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21729 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21729
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21729.patch

Fixes: Timeout
Fixes: 477315122/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5274792315125760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>


>>From 0eb83a4d5a8a70a2322f649aea31b8132ab54edf Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 10 Feb 2026 22:46:58 +0100
Subject: [PATCH] avformat/cafdec: Check nb_entries in read_info_chunk()

Fixes: Timeout
Fixes: 477315122/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5274792315125760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/cafdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index 656b473140..1557391ef3 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -326,6 +326,10 @@ static void read_info_chunk(AVFormatContext *s, int64_t size)
     AVIOContext *pb = s->pb;
     unsigned int i;
     unsigned int nb_entries = avio_rb32(pb);
+
+    if (3LL * nb_entries > size)
+        return;
+
     for (i = 0; i < nb_entries && !avio_feof(pb); i++) {
         char key[32];
         char value[1024];
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org