* [FFmpeg-devel] [PATCH] avcodec/dxv: fix index validation against texture size
@ 2026-01-05 0:35 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] avcodec/eatqi: clamp quantizer value to prevent underflow 0xBat via ffmpeg-devel
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: 0xBat via ffmpeg-devel @ 2026-01-05 0:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: 0xBat
Validate the calculated index against both the current position and the total texture size to prevent out-of-bounds memory access.
Signed-off-by: 0xBat <monsterbat02@gmail.com>
---
libavcodec/dxv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 07eee253e7..8d11dfe1a1 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -72,8 +72,8 @@ typedef struct DXVContext {
idx = x; \
break; \
case 2: \
- idx = (bytestream2_get_byte(gbc) + 2) * x; \
- if (idx > pos) { \
+ idx = (bytestream2_get_byte(gbc) + 2) * x;
+ if (idx > pos || idx > ctx->tex_size) { \
av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos); \
return AVERROR_INVALIDDATA; \
} \
--
2.52.0.windows.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH] avcodec/eatqi: clamp quantizer value to prevent underflow
2026-01-05 0:35 [FFmpeg-devel] [PATCH] avcodec/dxv: fix index validation against texture size 0xBat via ffmpeg-devel
@ 2026-01-05 0:35 ` 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] avcodec/qdm2: check packet size before bitstream initialization 0xBat via ffmpeg-devel
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: 0xBat via ffmpeg-devel @ 2026-01-05 0:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: 0xBat
Ensure the quantizer value does not exceed 107 to prevent the qscale calculation from underflowing or producing invalid results.
Signed-off-by: 0xBat <monsterbat02@gmail.com>
---
libavcodec/eatqi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c
index 421ed51009..2d74139d24 100644
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -111,6 +111,8 @@ static inline void tqi_idct_put(AVCodecContext *avctx, AVFrame *frame,
static void tqi_calculate_qtable(TqiContext *t, int quant)
{
+ if (quant > 107)
+ quant = 107;
const int64_t qscale = (215 - 2*quant)*5;
int i;
--
2.52.0.windows.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH] avcodec/qdm2: check packet size before bitstream initialization
2026-01-05 0:35 [FFmpeg-devel] [PATCH] avcodec/dxv: fix index validation against texture size 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] avcodec/eatqi: clamp quantizer value to prevent underflow 0xBat via ffmpeg-devel
@ 2026-01-05 0:35 ` 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] compat/android: fix DLL hijacking by using absolute paths 0xBat via ffmpeg-devel
2026-01-08 3:20 ` [FFmpeg-devel] Re: [PATCH] avcodec/dxv: fix index validation against texture size Michael Niedermayer via ffmpeg-devel
3 siblings, 0 replies; 5+ messages in thread
From: 0xBat via ffmpeg-devel @ 2026-01-05 0:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: 0xBat
Prevent integer overflow in init_get_bits by validating that packet size multiplied by 8 does not exceed INT_MAX.
Signed-off-by: 0xBat <monsterbat02@gmail.com>
---
libavcodec/qdm2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index b2136c6824..2eb1f3be99 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -978,6 +978,8 @@ static int process_subpacket_9(QDM2Context *q, QDM2SubPNode *node)
GetBitContext gb;
int i, j, k, n, ch, run, level, diff;
+ if (node->packet->size > INT_MAX / 8)
+ return AVERROR_INVALIDDATA;
init_get_bits(&gb, node->packet->data, node->packet->size * 8);
n = coeff_per_sb_for_avg[q->coeff_per_sb_select][QDM2_SB_USED(q->sub_sampling) - 1] + 1;
--
2.52.0.windows.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH] compat/android: fix DLL hijacking by using absolute paths
2026-01-05 0:35 [FFmpeg-devel] [PATCH] avcodec/dxv: fix index validation against texture size 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] avcodec/eatqi: clamp quantizer value to prevent underflow 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] avcodec/qdm2: check packet size before bitstream initialization 0xBat via ffmpeg-devel
@ 2026-01-05 0:35 ` 0xBat via ffmpeg-devel
2026-01-08 3:20 ` [FFmpeg-devel] Re: [PATCH] avcodec/dxv: fix index validation against texture size Michael Niedermayer via ffmpeg-devel
3 siblings, 0 replies; 5+ messages in thread
From: 0xBat via ffmpeg-devel @ 2026-01-05 0:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: 0xBat
Hardcode the path to libbinder_ndk.so to /system/lib64/ or /system/lib/ to prevent loading malicious libraries from unauthorized directories.
Signed-off-by: 0xBat <monsterbat02@gmail.com>
---
compat/android/binder.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/compat/android/binder.c b/compat/android/binder.c
index a214d977cc..58c0c3859e 100644
--- a/compat/android/binder.c
+++ b/compat/android/binder.c
@@ -41,7 +41,9 @@ static void *dlopen_libbinder_ndk(void)
* See also: https://source.android.com/docs/core/architecture/aidl/aidl-backends
*/
- void *h = dlopen("libbinder_ndk.so", RTLD_NOW | RTLD_LOCAL);
+ void *h = dlopen("/system/lib64/libbinder_ndk.so", RTLD_NOW | RTLD_LOCAL);
+ if (!h)
+ h = dlopen("/system/lib/libbinder_ndk.so", RTLD_NOW | RTLD_LOCAL);
if (h != NULL)
return h;
--
2.52.0.windows.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] Re: [PATCH] avcodec/dxv: fix index validation against texture size
2026-01-05 0:35 [FFmpeg-devel] [PATCH] avcodec/dxv: fix index validation against texture size 0xBat via ffmpeg-devel
` (2 preceding siblings ...)
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] compat/android: fix DLL hijacking by using absolute paths 0xBat via ffmpeg-devel
@ 2026-01-08 3:20 ` Michael Niedermayer via ffmpeg-devel
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer via ffmpeg-devel @ 2026-01-08 3:20 UTC (permalink / raw)
To: FFmpeg development discussions and patches; +Cc: Michael Niedermayer
[-- Attachment #1.1: Type: text/plain, Size: 3135 bytes --]
Hi 0xBat
On Mon, Jan 05, 2026 at 01:35:00AM +0100, 0xBat via ffmpeg-devel wrote:
> Validate the calculated index against both the current position and the total texture size to prevent out-of-bounds memory access.
>
> Signed-off-by: 0xBat <monsterbat02@gmail.com>
> ---
> libavcodec/dxv.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> index 07eee253e7..8d11dfe1a1 100644
> --- a/libavcodec/dxv.c
> +++ b/libavcodec/dxv.c
> @@ -72,8 +72,8 @@ typedef struct DXVContext {
> idx = x; \
> break; \
> case 2: \
> - idx = (bytestream2_get_byte(gbc) + 2) * x; \
> - if (idx > pos) { \
> + idx = (bytestream2_get_byte(gbc) + 2) * x;
> + if (idx > pos || idx > ctx->tex_size) { \
> av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos); \
this is a syntax error, that macro doesnt build
src/libavcodec/dxv.c:76:13: error: expected identifier or ‘(’ before ‘if’
76 | if (idx > pos || idx > ctx->tex_size) { \
| ^~
src/libavcodec/dxv.c:80:13: error: expected identifier or ‘(’ before ‘break’
80 | break; \
| ^~~~~
src/libavcodec/dxv.c:81:9: error: expected identifier or ‘(’ before ‘case’
81 | case 3: \
| ^~~~
src/libavcodec/dxv.c:83:13: error: expected identifier or ‘(’ before ‘if’
83 | if (idx > pos) { \
| ^~
src/libavcodec/dxv.c:87:13: error: expected identifier or ‘(’ before ‘break’
87 | break; \
| ^~~~~
src/libavcodec/dxv.c:88:9: error: expected identifier or ‘(’ before ‘}’ token
88 | } \
| ^
src/libavcodec/dxv.c:89:5: error: expected identifier or ‘(’ before ‘}’ token
89 | } while(0)
| ^
src/libavcodec/dxv.c:89:7: error: expected identifier or ‘(’ before ‘while’
89 | } while(0)
| ^~~~~
make: *** [src/ffbuild/common.mak:90: libavcodec/dxv.o] Error 1
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Awnsering whenever a program halts or runs forever is
On a turing machine, in general impossible (turings halting problem).
On any real computer, always possible as a real computer has a finite number
of states N, and will either halt in less than N cycles or never halt.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 163 bytes --]
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-01-08 3:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-05 0:35 [FFmpeg-devel] [PATCH] avcodec/dxv: fix index validation against texture size 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] avcodec/eatqi: clamp quantizer value to prevent underflow 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] avcodec/qdm2: check packet size before bitstream initialization 0xBat via ffmpeg-devel
2026-01-05 0:35 ` [FFmpeg-devel] [PATCH] compat/android: fix DLL hijacking by using absolute paths 0xBat via ffmpeg-devel
2026-01-08 3:20 ` [FFmpeg-devel] Re: [PATCH] avcodec/dxv: fix index validation against texture size Michael Niedermayer via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git