From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 1E34C4EABB for ; Wed, 11 Feb 2026 15:09:15 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'F9C0DKBCgs/DVyN8MQd7TKyKHYHTb6em996bWDN135s=', expected b'wX1V9uR3SHMU2lUF1aEwqfKYuEd+EFmmrmunZGjtQMw=')) header.d=google.com header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1770822542; h=date : mime-version : message-id : to : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=fCLTv0LBMIE0Sf022x51+k3F8WACrISkQuUdRnpv8Cc=; b=I6ujGsxIXoysB0Dx92w95VMN4dZipIiFyJVM4GajgZemMZRi6tAWqb828ScMQGoq4zVqh KklmJgp+gyxEeSrXQ10HhmfNOAm1TRUMn+p+2XXIcTf8KZmlSrPhmhmB0raY4oIQElWhi3t QRduAfvTplXtTDVw277aGbxxbq+Tksd5P8S/S1OooDD+n4fkJvLHOW6l0jpPe3Xcrna+WBb ZhQpXQb9QTUPZ7gRfUAfCmsa6LW4yOYv+PN9v2m+jj0EmADQGxeoUiC7LJc/FKn1xD8A8SM MhaVAdUN5Gr39Cw0YPUZSI1m2WzWec7o4fTMNKx8ixpqeP1Z4qJq8mL2dCQQ== Received: from [172.20.0.3] (unknown [172.20.0.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 74098691B08; Wed, 11 Feb 2026 17:09:02 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1770822533; b=d/LSlwD1/gFUlW8l8PlFiyZbLBmDaIZEU2fF1XOVq3afliN5eFzU4jaz9gmnrE7qdWkIR 0Tx22Reb6ZG+t2RDnRW1odaX2uzwKbwQVQ1O58OYeg23qsx0gjVIYsy9JdQRwNIaK4RBkhB DhT3b3wTBX0EMc9GrKqi8qweyhLa/i0AfSQb8NpMgwI3xbNsJnqWujt6CHZMv6f/+NYfCzo sPq+Rs0CAMHiKb8wnfubGfADbc/6Xro/cCLLuAjdPjlCc/k76TG/YjqD1LdCS4isdsR9kIt YIqV51bYdj4HhogPy2pSj0JwrA4P0Dh3yu0I4rLhfnMLuuxjJ6CW9Uheqdwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1770822533; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=F9C0DKBCgs/DVyN8MQd7TKyKHYHTb6em996bWDN135s=; b=h16gjHuwEH4lvxrdtwA5HioNClptLNaFNk4Rror0uF1YfZCZYuQGgqd3snmwDyFdHv2O9 eXxOSYrtHy/cbSfThjGoznoTUfPEahbO8SfG2x4DJEdXWUJnAZoBDurvfjZ1xjc8TXJXAJ1 WzhF7d9j3V9/ToDbYcs2JCF+5kt33hsVDBgs8Dipj7PEbeB5kvf/9P6118k2Fqia03ybLoG YZHjcMJ4NbM+bRKBDVcVsabtRIgSh8ch2UuQHHUZeLTIrH4qDA+1xZvKHohO04UZrkJWXdA /oYpCVuGkjeUBxACMkcrDab+cjt62Ry66IkFuxnkuPiph/gcVrgLRT8glqFA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=google.com; arc=none; dmarc=pass header.from=google.com policy.dmarc=reject Authentication-Results: ffmpeg.org; dkim=pass header.d=google.com; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=google.com policy.dmarc=reject Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 3D6C56918AD for ; Wed, 11 Feb 2026 10:28:51 +0200 (EET) Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-43635708e98so1991579f8f.2 for ; Wed, 11 Feb 2026 00:28:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1770798530; x=1771403330; darn=ffmpeg.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=wX1V9uR3SHMU2lUF1aEwqfKYuEd+EFmmrmunZGjtQMw=; b=w8NRuQ4yz0e6xkhy+arQzqR00JrOgGFUe7MisecPGUuHVo/jEQHOBpw/2GPYMncX/2 6trlAVvf2wfOh/l+G3vSdn9R2/5jOEMPwK/f4BvgJvTdRdihh47Bh3p2s+GV9z7f+y8q qjq8BcYdu/AzJrxqMXMeN44YZAN7ANUj5f9b0waK5ZuqrBYC6OiRIphldj3/dZUYuuch oRrK2NDBB+qeHgnMREyLsyEI0F2qm7xWluRGzHtuTY5Aakl1fKgjl6Hy7WUKnDqOR1c0 hpOjlkX3mMtGmVE6FSofJ9RVFqcNmdHGv3ZJSPTRbyTCzr0chkJbmUR7rFhKxmeI2esI MV/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770798530; x=1771403330; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=wX1V9uR3SHMU2lUF1aEwqfKYuEd+EFmmrmunZGjtQMw=; b=T8ebUVgGWgqwb1h3LlmCbyM8fy9CQfykFX5a4tw/C7aXYheKKmycRGehHnaWF7NDaY 6QXdeEWBfWWmJ7c8kx2AgfU+NK6mYwB7O0oyWDxT4uHHn5c9Oya2RM2x4ePyvhOmP+Nb CJfyH95RNhRFJ+8aBqkElWIyYB8afGLixn5twCYTkK4q4gEadKml/yFxlVwP/BAFomi/ goJZGL4IzMqpaAeCgjCQRUTpaXbRhMwYJOh311nZJebGedHq81pj5aF/nzTmNujC77/H G0LhcA6RA4Ex5F2CVmDv+jkKHiesjZ3qJQYBj0wVQPaOkGn60MIAEcmkflrRZ0bPnYNx ixnQ== X-Gm-Message-State: AOJu0YxF2f1MupbaxJiyG0eywjJseOiDY7vqSsldc/hv+xvPoPM1gwXC zqOKn4Mckl4KOL3XjC0EFt9So2H5Syapg+hnmbfP5t91HY6lnDnT8EEFddc3FXX0m/gRsuxhqXt NLwB5q1ezVv48XxZVST1iswOXY8gSIlRV0DieaeZbEIeRt4lnZuCvvd2CDQdqfUvC6NjWZ9vXEl DNEebM8e7JZd4ZbQfWOh+vjNTccb0= X-Received: from wrbcl5.prod.google.com ([2002:a5d:5f05:0:b0:437:72ce:8972]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6000:2882:b0:437:719d:a753 with SMTP id ffacd0b85a97d-43782b1bcfamr3116744f8f.11.1770798530371; Wed, 11 Feb 2026 00:28:50 -0800 (PST) Date: Wed, 11 Feb 2026 09:28:48 +0100 Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0.273.g2a3d683680-goog Message-ID: <20260211082848.638506-1-ardb+git@google.com> To: ffmpeg-devel@ffmpeg.org X-MailFrom: SRS0=c8G9=AP=flex--ardb.bounces.google.com=3wj2MaQgKDMEhyki+np0nvvnsl.jvtmmtwln-kl2lsmmtwln.vyn@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation Message-ID-Hash: JHOO5OKQQQJ6OPXP5ZO5AY3FHH6IM3ST X-Message-ID-Hash: JHOO5OKQQQJ6OPXP5ZO5AY3FHH6IM3ST X-Mailman-Approved-At: Wed, 11 Feb 2026 15:08:46 +0000 X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avcodec/adpcm: fix heap-buffer-overflow in IMA MAGIX decoding List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Ard Biesheuvel via ffmpeg-devel Cc: Ard Biesheuvel , CodeMender , Ard Biesheuvel Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: From: Ard Biesheuvel The IMA MAGIX decoder calculates the output buffer size (nb_samples) based on the actual input packet size (buf_size) via get_nb_samples(). However, the decoding loop previously relied on avctx->block_align to determine the iteration count. When block_align is larger than the actual packet size (e.g., a 71-byte packet with block_align=16384), the loop attempts to process more data than available. This results in out-of-bounds reads from the input bytestream and out-of-bounds writes to the allocated output buffer. Fix this by adding a check for remaining input bytes (>= 8) to the loop condition, ensuring the loop terminates when the input is exhausted. oss-fuzz: https://oss-fuzz.com/testcase-detail/4847227777646592 Co-authored-by: CodeMender Signed-off-by: Ard Biesheuvel --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index bd9ad2933f..2828cb8c31 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1799,7 +1799,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame, } } - for (int m = 0; m < avctx->block_align-8; m += 8) { + for (int m = 0; m < avctx->block_align-8 && bytestream2_get_bytes_left(&gb) >= 8; m += 8) { uint32_t v0 = bytestream2_get_le32u(&gb); uint32_t v1 = bytestream2_get_le32u(&gb); -- 2.53.0.239.g8d8fc8a987-goog _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org