This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit f9a9fae55790f905446af1b2f70f6ccc00f3b06c Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Thu Apr 23 02:47:11 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:24:55 2026 +0200 avformat/cafdec: fix negative index use in read_seek av_index_search_timestamp() returns a negative value when a seek target cannot be resolved from the stream index. Bail out before using that result as an index into sti->index_entries to avoid out-of-bounds reads. Fixes: Buffer underflow Fixes: DFVULN-608 *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* (cherry picked from commit 5408059eb7f2ff628ba25db7ff8714e707467c49) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 1557391ef3..8816e6b6dc 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -566,6 +566,8 @@ static int read_seek(AVFormatContext *s, int stream_index, frame_cnt = caf->frames_per_packet * packet_cnt - st->codecpar->initial_padding; } else if (sti->nb_index_entries) { packet_cnt = av_index_search_timestamp(st, timestamp, flags); + if (packet_cnt < 0) + return -1; frame_cnt = sti->index_entries[packet_cnt].timestamp; pos = sti->index_entries[packet_cnt].pos; } else { _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
