This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 5408059eb7 avformat/cafdec: fix negative index use in read_seek
5408059eb7 is described below
commit 5408059eb7f2ff628ba25db7ff8714e707467c49
Author: depthfirst-dev[bot]
<1012587+depthfirst-dev[bot]@users.noreply.github.com>
AuthorDate: Thu Apr 23 02:47:11 2026 +0000
Commit: michaelni <[email protected]>
CommitDate: Sat May 2 21:40:19 2026 +0000
avformat/cafdec: fix negative index use in read_seek
av_index_search_timestamp() returns a negative value when a seek target
cannot be resolved from the stream index. Bail out before using that
result as an index into sti->index_entries to avoid out-of-bounds reads.
Fixes: Buffer underflow
Fixes: DFVULN-608
*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
---
libavformat/cafdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index a7789aee59..41ae1bc121 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -568,6 +568,8 @@ static int read_seek(AVFormatContext *s, int stream_index,
frame_cnt = caf->frames_per_packet * packet_cnt -
st->codecpar->initial_padding;
} else if (sti->nb_index_entries) {
packet_cnt = av_index_search_timestamp(st, timestamp, flags);
+ if (packet_cnt < 0)
+ return -1;
frame_cnt = sti->index_entries[packet_cnt].timestamp;
pos = sti->index_entries[packet_cnt].pos;
} else {
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
