[FFmpeg-cvslog] [ffmpeg] avformat/img2dec: reject input images too big to fit into a single packet (branch master)

Wed, 31 Dec 2025 06:38:57 -0800 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new f6a95c7eb7 avformat/img2dec: reject input images too big to fit into a 
single packet
f6a95c7eb7 is described below

commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8
Author:     Timo Rothenpieler <[email protected]>
AuthorDate: Wed Dec 31 03:41:21 2025 +0100
Commit:     Timo Rothenpieler <[email protected]>
CommitDate: Wed Dec 31 14:37:58 2025 +0000

    avformat/img2dec: reject input images too big to fit into a single packet
    
    Not entirely sure if it should instead use some entirely different
    approach here, given that images exceeding 2GB don't seem that crazy
    to me, but so far processing such images results in a heap overflow,
    since the size addition overflows and a much too small packet is
    allocated and its size never checked again when writing into it.
    
    Fixes #YWH-PGM40646-32
---
 libavformat/img2dec.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c
index 8f1c9013ca..586634c0c3 100644
--- a/libavformat/img2dec.c
+++ b/libavformat/img2dec.c
@@ -365,8 +365,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
     VideoDemuxData *s = s1->priv_data;
     AVBPrint filename;
     int i, res;
-    int size[3]           = { 0 }, ret[3] = { 0 };
-    AVIOContext *f[3]     = { NULL };
+    int ret[3] = { 0 };
+    int64_t size[3] = { 0 };
+    int64_t total_size;
+    AVIOContext *f[3] = { NULL };
     AVCodecParameters *par = s1->streams[0]->codecpar;
 
     av_bprint_init(&filename, 0, AV_BPRINT_SIZE_UNLIMITED);
@@ -456,7 +458,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
         }
     }
 
-    res = av_new_packet(pkt, size[0] + size[1] + size[2]);
+    total_size = size[0];
+    if (total_size > INT64_MAX - size[1])
+        return AVERROR_INVALIDDATA;
+    total_size += size[1];
+    if (total_size > INT64_MAX - size[2])
+        return AVERROR_INVALIDDATA;
+    total_size += size[2];
+    if (total_size > INT_MAX)
+        return AVERROR_INVALIDDATA;
+
+    res = av_new_packet(pkt, total_size);
     if (res < 0) {
         goto fail;
     }

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to