This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 77f2c227c254c0f03e88154e393e3a01ff1562a3 Author: Michael Niedermayer <[email protected]> AuthorDate: Sat May 2 11:11:02 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:24:58 2026 +0200 avcodec/zmbv: reject XOR data that overruns the decompression buffer Add a per-block bounds check at the start of each XOR block so the read is rejected before src crosses decomp_len, and propagate the error from decode_frame(). Fixes: out of array read Found-by: Seung Min Shin (cherry picked from commit 2a991a3475c6200682b8828f398d7fed619bb9e5) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/zmbv.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index f0bffd8966..fe12f3f84a 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -138,6 +138,8 @@ static int zmbv_decode_xor_8(ZmbvContext *c) } if (d) { /* apply XOR'ed difference */ + if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2) + return AVERROR_INVALIDDATA; out = output + x; for (j = 0; j < bh2; j++) { for (i = 0; i < bw2; i++) @@ -212,6 +214,8 @@ static int zmbv_decode_xor_16(ZmbvContext *c) } if (d) { /* apply XOR'ed difference */ + if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 2) + return AVERROR_INVALIDDATA; out = output + x; for (j = 0; j < bh2; j++){ for (i = 0; i < bw2; i++) { @@ -296,6 +300,8 @@ static int zmbv_decode_xor_24(ZmbvContext *c) } if (d) { /* apply XOR'ed difference */ + if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 3) + return AVERROR_INVALIDDATA; out = output + x * 3; for (j = 0; j < bh2; j++) { for (i = 0; i < bw2; i++) { @@ -374,6 +380,8 @@ static int zmbv_decode_xor_32(ZmbvContext *c) } if (d) { /* apply XOR'ed difference */ + if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 4) + return AVERROR_INVALIDDATA; out = output + x; for (j = 0; j < bh2; j++){ for (i = 0; i < bw2; i++) { @@ -568,8 +576,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, frame->pict_type = AV_PICTURE_TYPE_P; if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) return AVERROR_INVALIDDATA; - if (c->decomp_len) - c->decode_xor(c); + if (c->decomp_len) { + if ((ret = c->decode_xor(c)) < 0) + return ret; + } } /* update frames */ _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
