This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 2a991a3475 avcodec/zmbv: reject XOR data that overruns the
decompression buffer
2a991a3475 is described below
commit 2a991a3475c6200682b8828f398d7fed619bb9e5
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat May 2 11:11:02 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Sun May 3 13:22:37 2026 +0000
avcodec/zmbv: reject XOR data that overruns the decompression buffer
Add a per-block bounds check at the start of each XOR block so the
read is rejected before src crosses decomp_len, and propagate the
error from decode_frame().
Fixes: out of array read
Found-by: Seung Min Shin
---
libavcodec/zmbv.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index 947097bb4a..3e2e7fa98a 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -139,6 +139,8 @@ static int zmbv_decode_xor_8(ZmbvContext *c)
}
if (d) { /* apply XOR'ed difference */
+ if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2)
+ return AVERROR_INVALIDDATA;
out = output + x;
for (j = 0; j < bh2; j++) {
for (i = 0; i < bw2; i++)
@@ -213,6 +215,8 @@ static int zmbv_decode_xor_16(ZmbvContext *c)
}
if (d) { /* apply XOR'ed difference */
+ if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 2)
+ return AVERROR_INVALIDDATA;
out = output + x;
for (j = 0; j < bh2; j++){
for (i = 0; i < bw2; i++) {
@@ -297,6 +301,8 @@ static int zmbv_decode_xor_24(ZmbvContext *c)
}
if (d) { /* apply XOR'ed difference */
+ if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 3)
+ return AVERROR_INVALIDDATA;
out = output + x * 3;
for (j = 0; j < bh2; j++) {
for (i = 0; i < bw2; i++) {
@@ -375,6 +381,8 @@ static int zmbv_decode_xor_32(ZmbvContext *c)
}
if (d) { /* apply XOR'ed difference */
+ if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 4)
+ return AVERROR_INVALIDDATA;
out = output + x;
for (j = 0; j < bh2; j++){
for (i = 0; i < bw2; i++) {
@@ -569,8 +577,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame
*frame,
frame->pict_type = AV_PICTURE_TYPE_P;
if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) *
((c->height + c->bh - 1) / c->bh))
return AVERROR_INVALIDDATA;
- if (c->decomp_len)
- c->decode_xor(c);
+ if (c->decomp_len) {
+ if ((ret = c->decode_xor(c)) < 0)
+ return ret;
+ }
}
/* update frames */
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
