This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit e5fce087b3e85102b9f222ab71a7eb0236956701 Author: Oliver Chang <[email protected]> AuthorDate: Wed Dec 3 02:57:43 2025 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:49:51 2026 +0200 libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read from the bitstream was not validated against the remaining bytes in the input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size exceeding the actual packet data, leading to an out-of-bounds read. The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is greater than or equal to `header_len - 2` before initializing `gb_hdr`. Fixes: https://issues.oss-fuzz.com/issues/439711053 (cherry picked from commit 041d4f010e9fd73d661b2fc48309dd7f548a1481) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/prores_raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c index b2aa97ddda..51628623c5 100644 --- a/libavcodec/prores_raw.c +++ b/libavcodec/prores_raw.c @@ -344,7 +344,7 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; int header_len = bytestream2_get_be16(&gb); - if (header_len < 62) + if (header_len < 62 || bytestream2_get_bytes_left(&gb) < header_len - 2) return AVERROR_INVALIDDATA; GetByteContext gb_hdr; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
