From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 8ED864EA9B for ; Wed, 11 Feb 2026 03:28:29 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'Io5aDT6OM2CLfuP+rPHbj3j3bUCEdGZL9Xj1u2dIJfk=', expected b'L7x4eIu+A/QQzS4Jm4ta3AED9pJIxyvwyRdFw2ZYNE8=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1770780504; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=Io5aDT6OM2CLfuP+rPHbj3j3bUCEdGZL9Xj1u2dIJfk=; b=c+r4Qf89URkwwn9fC6Y0jUuaWl+soPbnM5zYcO2ao/tI6UIdLrSpM8wvxUMQnxr/yiDoG ngUdcNh6jv6HsYDvzgpyXNSASfaW5WjGbsmugWsK7ZYCI1o9K7e2PeeME/SsBipxiYPF+l1 lXCqU9z+qJBLmKL5PZXJ7Xn8v8cc2haBrbB3UgnKfVh91UTvOKwL6zrJO0bbXQZAQXZZ3Qq AvUuOv61EHOq2Ua3Ad/gF9bEaA54IS3xZ6xuMGzVXUHuultP3MIOMgytzNyqqw8wifMegfn gkg3qDr6qbnrBgisG9yEvL1y+z3ugt118L3YmERYTaAw+CwwWW01iyEvs8xQ== Received: from [172.20.0.3] (unknown [172.20.0.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 1CF8D691850; Wed, 11 Feb 2026 05:28:24 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1770780496; b=IZgOYZDu6TjbPf4gXiGPst6t3Cto778BmF6A4+1z5Q2oDJnx2tiHFGjhR4A7P8xnml24S UAohHZJRjbtZNom4sZnmR/rK2hfQyedBUWkvKTUuDU5u9t4EHImsPysHE8Oxfv/ygqgLA32 XeaePZbrQpLh86cU3/FHG2rT8yYU04o1IBw0+3oG1QBgHiBR/1K68DEOdyr8vF1xZyN8fHf zvJTsU355YVb9yVV1F18HXBmL8OREpzNZp3SOxIQpHFn4WFjW/6Oa2r/7yMzWBSZoxkrSbU wVKLc7vL5qaFG9LnGMGCTYZEgO/N2VxZimq7bg7t5h8P9gCyoFFk5IVwwhiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1770780496; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=sG3ITaEzLofFCzQd86tihoWZAeR2rOaj6hNJG/PGmVc=; b=mrOTDaH9OmXz2jHmRkB/oKzvpWzrpUcjlLTBiukKGfncZ1K9A957PM5UiUF4wMTqNby6t kiIZOid01svNOalr24fw76xrHAA3z+DRA4aFt3hEuEOmEcK5W3+FzItf0KpPwTweXmZbwSQ 9BiqdNm9YCB7rSMt881MKqzIFGZFyqT1JuKpMNVA88Yop0Ppew+65GjbK4xp3l6Pjcqsqy0 XO6WKL4snK0NG2/PN/7yswcHWHNCe1wRmZ51zCkEE/DnQvuAbishInUDTzkuvSoXYBQsELT PZBH9meFojh7SHkOm8IITGXNeYGSCe+9WTLP2ic8n+myZwQmYQ6I6tBwuXOA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1770780488; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=L7x4eIu+A/QQzS4Jm4ta3AED9pJIxyvwyRdFw2ZYNE8=; b=MK9IoB8SCe01yg/E1RBt0tvuS285Imar5oh9XrSBa3gMb+M2JJ7GOlwZTB6BDF+bLl+KJ 5RGjzQ+m94Z5V+ac4+DX+0TI8/yhTexga4EEZ5SPd8wOHExUWebaLvJIvxBStlxODMNslqk hsgqgos5DRhpLafoirCq5aq4aGQy+lidpx6DGEh6sNoNfs5nBIyKjpsMNHi16P6aBWpVDlZ n+ZxUJ+5H2WoLTu9rvoHXhP/0BNV8P5XnKpYL0wwOrOK6qVy6F840delRSOWEqExHrDfdZf nm6zFFfJ0nhJgm3ChQsQ44zA9HSBY98x5Ns0JoJMhZ9sqtac9fqSn1E51mAg== Received: from c8d966988b92 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id CB2236917EE for ; Wed, 11 Feb 2026 05:28:08 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 11 Feb 2026 03:28:08 -0000 Message-ID: <177078048897.25.6887241352184952581@009cbcb3d8cd> Message-ID-Hash: C53P7K2WKNI4IXFI73R5BAYI6PBJJVON X-Message-ID-Hash: C53P7K2WKNI4IXFI73R5BAYI6PBJJVON X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avcodec/adpcm: fix heap-buffer-overflow in IMA MAGIX decoding (PR #21730) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: oliverchang via ffmpeg-devel Cc: oliverchang Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21730 opened by oliverchang URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21730 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21730.patch The IMA MAGIX decoder calculates the output buffer size (nb_samples) based on the actual input packet size (buf_size) via get_nb_samples(). However, the decoding loop previously relied on avctx->block_align to determine the iteration count. When block_align is larger than the actual packet size (e.g., a 71-byte packet with block_align=16384), the loop attempts to process more data than available. This results in out-of-bounds reads from the input bytestream and out-of-bounds writes to the allocated output buffer. Fix this by adding a check for remaining input bytes (>= 8) to the loop condition, ensuring the loop terminates when the input is exhausted. Co-authored-by: CodeMender Signed-off-by: Oliver Chang Fixes: https://issues.oss-fuzz.com/issues/471509958 >>From 84314a6ade2f04954ee6443d62b957ccfddc22c9 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Wed, 11 Feb 2026 03:24:14 +0000 Subject: [PATCH] avcodec/adpcm: fix heap-buffer-overflow in IMA MAGIX decoding The IMA MAGIX decoder calculates the output buffer size (nb_samples) based on the actual input packet size (buf_size) via get_nb_samples(). However, the decoding loop previously relied on avctx->block_align to determine the iteration count. When block_align is larger than the actual packet size (e.g., a 71-byte packet with block_align=16384), the loop attempts to process more data than available. This results in out-of-bounds reads from the input bytestream and out-of-bounds writes to the allocated output buffer. Fix this by adding a check for remaining input bytes (>= 8) to the loop condition, ensuring the loop terminates when the input is exhausted. Co-authored-by: CodeMender Signed-off-by: Oliver Chang Fixes: https://issues.oss-fuzz.com/issues/471509958 --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index bd9ad2933f..2828cb8c31 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1799,7 +1799,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame, } } - for (int m = 0; m < avctx->block_align-8; m += 8) { + for (int m = 0; m < avctx->block_align-8 && bytestream2_get_bytes_left(&gb) >= 8; m += 8) { uint32_t v0 = bytestream2_get_le32u(&gb); uint32_t v1 = bytestream2_get_le32u(&gb); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org