On Sat, Jun 24, 2023 at 09:14:53PM +0200, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: out of array access > > Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b > > > > Found-by: Catena cyber > > Signed-off-by: Michael Niedermayer > > --- > > libavcodec/parser.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/parser.c b/libavcodec/parser.c > > index efc28b8918..db39e698ab 100644 > > --- a/libavcodec/parser.c > > +++ b/libavcodec/parser.c > > @@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next, > > for (; pc->overread > 0; pc->overread--) > > pc->buffer[pc->index++] = pc->buffer[pc->overread_index++]; > > > > - if (next > *buf_size) > > + if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND)) > > return AVERROR(EINVAL); > > > > /* flush remaining if EOF */ > > Could you provide more details about this? E.g. which parser is this > about at all? And how can we actually come in this situation at all? > (Whenever I looked at ff_combine_frame() I do not really understand what > its invariants are supposed to be.) truehd with a malloc() failure and i dont think it should happen but, it felt like a good idea to check also *buf_size should probably be reset to 0, there was a patch about that from reimar (in CC) thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Frequently ignored answer#1 FFmpeg bugs should be sent to our bugtracker. User questions about the command line tools should be sent to the ffmpeg-user ML. And questions about how to use libav* should be sent to the libav-user ML.