From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id DA05048880 for ; Fri, 15 Aug 2025 14:53:54 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id E8F1F68D271; Fri, 15 Aug 2025 17:53:49 +0300 (EEST) Received: from 1e8b7847f7d1 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 24A3868CA1E for ; Fri, 15 Aug 2025 17:53:48 +0300 (EEST) MIME-Version: 1.0 From: Marvin Scholz To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] =?utf-8?q?=5BPATCH=5D_avcodec/prores=5Fraw=3A_Fix?= =?utf-8?q?_heap_buffer_overflow_=28PR_=2320245=29?= X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Message-Id: <20250815145349.E8F1F68D271@ffbox0-bg.ffmpeg.org> Date: Fri, 15 Aug 2025 17:53:49 +0300 (EEST) Archived-At: List-Archive: List-Post: PR #20245 opened by Marvin Scholz (ePirat) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20245 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20245.patch When dimensions differ from context, those were updated using ff_set_dimensions, however this overwrote the aligned coded_width and coded_height that were set before, leading to a buffer overflow when writing the frame data. Fixes: OssFuzz 438771336 Fixes: Heap-buffer-overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Marvin Scholz Reviewed-by: Marvin Scholz >From 9a6fc04013e0913830e9f1cf513977cfe10f49d7 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Thu, 14 Aug 2025 22:11:41 -0700 Subject: [PATCH] avcodec/prores_raw: Fix heap buffer overflow When dimensions differ from context, those were updated using ff_set_dimensions, however this overwrote the aligned coded_width and coded_height that were set before, leading to a buffer overflow when writing the frame data. Fixes: OssFuzz 438771336 Fixes: Heap-buffer-overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Marvin Scholz Reviewed-by: Marvin Scholz --- libavcodec/prores_raw.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c index 748e176815..b2aa97ddda 100644 --- a/libavcodec/prores_raw.c +++ b/libavcodec/prores_raw.c @@ -367,9 +367,6 @@ static int decode_frame(AVCodecContext *avctx, if ((w & 1) || (h & 1)) return AVERROR_INVALIDDATA; - avctx->coded_width = FFALIGN(w, 16); - avctx->coded_height = FFALIGN(h, 16); - if (w != avctx->width || h != avctx->height) { av_log(avctx, AV_LOG_WARNING, "picture resolution change: %ix%i -> %ix%i\n", avctx->width, avctx->height, w, h); @@ -377,6 +374,9 @@ static int decode_frame(AVCodecContext *avctx, return ret; } + avctx->coded_width = FFALIGN(w, 16); + avctx->coded_height = FFALIGN(h, 16); + enum AVPixelFormat pix_fmt = AV_PIX_FMT_BAYER_RGGB16; if (pix_fmt != s->pix_fmt) { s->pix_fmt = pix_fmt; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".