[FFmpeg-cvslog] [ffmpeg] avcodec/mjpegdec: avoid negative len in APP parser (branch master)

Wed, 07 Jan 2026 09:33:48 -0800 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new f1dbef3e38 avcodec/mjpegdec: avoid negative len in APP parser
f1dbef3e38 is described below

commit f1dbef3e3879a9efbf9a81c04e1b73e8f9834893
Author:     Ruikai Peng <[email protected]>
AuthorDate: Tue Jan 6 20:31:37 2026 -0500
Commit:     Ramiro Polla <[email protected]>
CommitDate: Wed Jan 7 17:33:02 2026 +0000

    avcodec/mjpegdec: avoid negative len in APP parser
    
    The APP parser can read a fixed number of bytes without checking len,
    making len negative and passing it to bytestream2_skipu(), which takes
    an unsigned size. This can advance the buffer by a huge amount and
    results in undefined behavior.
    
    Add small len guards in the fixed-size AVI1/LJIF paths and only skip
    the tail if len > 0.
    
    Signed-off-by: Ruikai Peng <[email protected]>
---
 libavcodec/mjpegdec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 417cedae4a..092bc3c2ff 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1905,6 +1905,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
             4bytes      field_size_less_padding
         */
             s->buggy_avid = 1;
+        if (len < 1)
+            goto out;
         i = bytestream2_get_byteu(&s->gB); len--;
         av_log(s->avctx, AV_LOG_DEBUG, "polarity %d\n", i);
         goto out;
@@ -1969,6 +1971,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
         if (s->avctx->debug & FF_DEBUG_PICT_INFO)
             av_log(s->avctx, AV_LOG_INFO,
                    "Pegasus lossless jpeg header found\n");
+        if (len < 9)
+            goto out;
         bytestream2_skipu(&s->gB, 2); /* version ? */
         bytestream2_skipu(&s->gB, 2); /* unknown always 0? */
         bytestream2_skipu(&s->gB, 2); /* unknown always 0? */
@@ -2163,7 +2167,7 @@ out:
     if (len < 0)
         av_log(s->avctx, AV_LOG_ERROR,
                "mjpeg: error, decode_app parser read over the end\n");
-    if (len)
+    if (len > 0)
         bytestream2_skipu(&s->gB, len);
 
     return 0;

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to