This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new e90c2ff4b5 avcodec/libdav1d: fix heap overflow in US ITU-T T.35
metadata parsing
e90c2ff4b5 is described below
commit e90c2ff4b5a5922d2cad1acd41595084f71d74a8
Author: Ruikai Peng <[email protected]>
AuthorDate: Mon Apr 6 19:11:33 2026 -0400
Commit: James Almer <[email protected]>
CommitDate: Mon Apr 6 23:39:40 2026 +0000
avcodec/libdav1d: fix heap overflow in US ITU-T T.35 metadata parsing
The US country_code path in parse_itut_t35_metadata() reads the
the provider_code with bytestream2_get_be16u(), which is a
unchecked version that does not validate the remaining
length before reading. When an AV1 stream contains ITU-T T.35
metadata with country_code set to 0xB5 (which is US) and a
payload shorter than 2 bytes, this results in a heap overflow
reading 2 bytes past the allocation.
The UK country code already guards against this issue by
checking it before the unchecked read. We're using the same
pattern to the US country code path.
Pwno crafted an AV1 IVF with a metadata OBU containing ITU-T T.35
with country_code=0xB5 and a 1-byte payload. Decoding with libdav1d
triggers the overflow. ASan says:
ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 2 at 0x5020000003f0 thread T0
#0 bytestream_get_be16 src/libavcodec/bytestream.h:98
#1 bytestream2_get_be16u src/libavcodec/bytestream.h:98
#2 parse_itut_t35_metadata src/libavcodec/libdav1d.c:376
0x5020000003f1 is located 0 bytes after 1-byte region
Found-by: Pwno
---
libavcodec/libdav1d.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/libdav1d.c b/libavcodec/libdav1d.c
index ae810b7abd..5af851085c 100644
--- a/libavcodec/libdav1d.c
+++ b/libavcodec/libdav1d.c
@@ -373,6 +373,8 @@ static int parse_itut_t35_metadata(Libdav1dContext *dav1d,
Dav1dPicture *p,
country_code = itut_t35->country_code;
switch (country_code) {
case ITU_T_T35_COUNTRY_CODE_US:
+ if (bytestream2_get_bytes_left(&gb) < 2)
+ return AVERROR_INVALIDDATA;
provider_code = bytestream2_get_be16u(&gb);
switch (provider_code) {
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
