From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id A01474F318
	for <ffmpegdev@gitmailbox.com>; Sun, 22 Feb 2026 08:35:18 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'ehKc1XfcKlBowWp7U5327VmELLUi+LRGTtsw7pb/DIA=', expected 
   b'jOsOQNijHF3cKk2uSM5NSpxWmKIvHx8BcjwFlZGyfww=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1771749057; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=ehKc1XfcKlBowWp7U5327VmELLUi+LRGTtsw7pb/DIA=;
 b=toFHkS55AXLrr06lAb/i/gji7O6/Y5eMjBMtXf+y8nbFWiHt8xTqFYvOPfbZeDRkBWEol
 L6pUAVQYeaZtb6p2r3+tybQ01fOhU6w+CtU/CP1SWsaXtnJCWcgmFPpEvll+m47l0HQzDvr
 kcoNEsQwDe4+Qg0GJyPo7SFdTlcgrlmlODN9PFvlGR/U6Os731XpA612m24bAs/0hzLYA7W
 Wr6pPuX6mQ4s25g3vBawSf5j7zPQiL1O4HDwyo4FY2A5ZNZ97HjYgHpg72K+ZmJ3H7I2b5w
 4cRdFgDEnPa+Pz2MpJ1ycVReSEOTcmomrSh2leAVoouHtcydQ/4Y+8wdBa7w==
Received: from [172.18.0.3] (unknown [172.18.0.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 13FC26912AF;
	Sun, 22 Feb 2026 10:30:57 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1771749041;
 b=QRgGBdB9bPHvcN3+91bR3WPDtTK3m1qEXWh673NNobxHEohCKf99EaSxk+0GI34KBKn4k
 f/laBmZp9BX5uYIGKqNZzCC8vBGFIrXZBdpROpAdiHZvE9CqkDRTnMaiiwiz4V8vkXEj9zx
 GWqbdKRtdSp9NHFC2AB8M62wPres+K9Eo3D9MP6bdg5casbrcnz/KISzeR+CjM8S4Io9+Kf
 7g9H7QkXYF1jAQeCa2H7iY1zJB4c9vTdAL4PhCwIzQ+dfY/AZPWwXFU/ZG2JjAHVrB8qot4
 Gjp+lmmc1x3x/+wS+JUVio7BLPwyC0HuSue6Bt+LKDGo2sr9Yc4quldaji9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1771749041; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=xERv5G6qiBBZSDPuyYG0YPk/GAuwvS5UKber8jyAniY=;
 b=eCaRmtdK0biIQj4goGbuymnOpn+0KfSp2Bxc+oWBGdNKUmYqzgUwcKwDOs7JCcVvDMdQM
 PZlkmWqLwf2dLW2NUJ9G6l8tviZ4GroXvgS9MMCvOiwHT/QNxX1WJQS3b9JpZhci6OhjatX
 GS8Uw9vB2DvuM1qP7Zr9wvxPDUcPI7uqXRiMELIWb6vF1LHQw0HjG1z/Kk20I9hTpwU/47U
 imk9y9JAya0BArsnlHTXMay0aQNkuKVKQmaGIfo8Jybp0efE1uciNXOs8tIbj+WK64bftQ2
 GFDbLKi2T16z5yjcZYtJNbM5FTB1rdB5sSNw4xjpt3DpIdi0zwHOuSk3Anmw==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1771749034; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=jOsOQNijHF3cKk2uSM5NSpxWmKIvHx8BcjwFlZGyfww=;
 b=pVqpaYikpcbKlSEryCQBW542FGKTQu8pGQA1OzttBDdex/NvKJVO0k28WgqCFu/G6c2/C
 EWX5YNAcUl6awcbTNy9rqgwKB7R6CRzlfpDPP0ON+Ciu7c/zBnSycvnUUdVopAbgLpKXXoH
 BwnfmkwUcZkYgyU/MqA5JO6Rym6RLRZAe4c9ohYE7V+WNR+5BYyro19pO+VHZ1kxovYbeAm
 ObW6xiKn3mND/rYMALJIa+4d808L+bDNlOvvRFOz271dPmC6njaCpTEP0gxBJRPnOM8w+in
 AVIpVWgkf2i2J6Xw729F7fzES71ByDAO7p/+Uzq2DHiylLmXbzwZY+p29Kqg==
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 22 Feb 2026 08:30:34 -0000
Message-ID: <177174903484.25.17573025151619581678@29965ddac10e>
Message-ID-Hash: 2VNFI7YX2PS2ONFNRR67OQAI4JV7HHFH
X-Message-ID-Hash: 2VNFI7YX2PS2ONFNRR67OQAI4JV7HHFH
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avformat: check avio_read() return values in dss, dtshd,
 and mlv demuxers (PR #22250)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/2VNFI7YX2PS2ONFNRR67OQAI4JV7HHFH/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/177174903484.25.17573025151619581678@29965ddac10e/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: sanks011 via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: sanks011 <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/177174903484.25.17573025151619581678@29965ddac10e/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #22250 opened by sanks011
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22250
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22250.patch

Multiple FFmpeg demuxers call avio_read() without checking the return value.
With truncated input, destination buffers remain uninitialized but are still
used (memcmp, metadata handling, offset calculations), leading to undefined
behavior detectable with Valgrind/MSan.

This patch series fixes three demuxers:
- libavformat/dss.c: dss_read_seek() 
- libavformat/dtshddec.c: dtshd_read_header() FILEINFO path
- libavformat/mlvdec.c: check_file_header()

Fixes: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/21520



>>From 457930d5598f1bd010d90b0ed0e52a12959de4cc Mon Sep 17 00:00:00 2001
From: Sankalpa Sarkar <sankalpasarkar68@gmail.com>
Date: Sun, 22 Feb 2026 13:47:34 +0530
Subject: [PATCH 1/3] avformat/dss: check avio_read() return value in
 dss_read_seek()

dss_read_seek() reads into a stack buffer via avio_read() but does not
check the return value. With truncated input, the header buffer remains
uninitialized and is used to derive offsets and branch conditions,
leading to undefined behavior detectable with Valgrind.

Fixes part of: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/21520

Signed-off-by: Sankalpa Sarkar <sankalpasarkar68@gmail.com>
---
 libavformat/dss.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/dss.c b/libavformat/dss.c
index 6cabdb5421..af56d1b271 100644
--- a/libavformat/dss.c
+++ b/libavformat/dss.c
@@ -339,7 +339,9 @@ static int dss_read_seek(AVFormatContext *s, int stream_index,
     if (ret < 0)
         return ret;
 
-    avio_read(s->pb, header, DSS_AUDIO_BLOCK_HEADER_SIZE);
+    ret = avio_read(s->pb, header, DSS_AUDIO_BLOCK_HEADER_SIZE);
+    if (ret < DSS_AUDIO_BLOCK_HEADER_SIZE)
+        return ret < 0 ? ret : AVERROR_EOF;
     ctx->swap = !!(header[0] & 0x80);
     offset = 2*header[1] + 2*ctx->swap;
     if (offset < DSS_AUDIO_BLOCK_HEADER_SIZE)
-- 
2.52.0


>>From b68ce209820a7210b289eefae4c2035b90a4f02a Mon Sep 17 00:00:00 2001
From: Sankalpa Sarkar <sankalpasarkar68@gmail.com>
Date: Sun, 22 Feb 2026 13:47:51 +0530
Subject: [PATCH 2/3] avformat/dtshddec: check avio_read() return value in
 FILEINFO path

dtshd_read_header() FILEINFO path uses avio_read() without checking
the return value. On truncated input, the heap buffer may be partially
uninitialized but is still used for metadata, leading to undefined
behavior.

Fixes part of: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/21520

Signed-off-by: Sankalpa Sarkar <sankalpasarkar68@gmail.com>
---
 libavformat/dtshddec.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavformat/dtshddec.c b/libavformat/dtshddec.c
index b980fde6a9..779f8aa576 100644
--- a/libavformat/dtshddec.c
+++ b/libavformat/dtshddec.c
@@ -125,8 +125,12 @@ static int dtshd_read_header(AVFormatContext *s)
             value = av_malloc(chunk_size);
             if (!value)
                 goto skip;
-            avio_read(pb, value, chunk_size);
-            value[chunk_size - 1] = 0;
+            ret = avio_read(pb, value, chunk_size);
+            if (ret < 0) {
+                av_free(value);
+                return ret;
+            }
+            value[ret - 1] = 0;
             av_dict_set(&s->metadata, "fileinfo", value,
                         AV_DICT_DONT_STRDUP_VAL);
             break;
-- 
2.52.0


>>From c900277eadde4e5b4c39a584e878d5e4dae81621 Mon Sep 17 00:00:00 2001
From: Sankalpa Sarkar <sankalpasarkar68@gmail.com>
Date: Sun, 22 Feb 2026 13:48:11 +0530
Subject: [PATCH 3/3] avformat/mlvdec: check avio_read() return value in
 check_file_header()

check_file_header() uses avio_read() to read the version field but does
not check the return value. With truncated input, the version buffer
remains uninitialized and is used in memcmp(), leading to undefined
behavior detectable with Valgrind/MSan.

Fixes part of: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/21520

Signed-off-by: Sankalpa Sarkar <sankalpasarkar68@gmail.com>
---
 libavformat/mlvdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 3a5d211085..4036c748dc 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -79,7 +79,8 @@ static int check_file_header(AVIOContext *pb, uint64_t guid)
     size = avio_rl32(pb);
     if (size < 52)
         return AVERROR_INVALIDDATA;
-    avio_read(pb, version, 8);
+    if (avio_read(pb, version, 8) < 8)
+        return AVERROR_INVALIDDATA;
     if (memcmp(version, MLV_VERSION, 5) || avio_rl64(pb) != guid)
         return AVERROR_INVALIDDATA;
     avio_skip(pb, size - 24);
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org