This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/5.1 in repository ffmpeg.
commit db6ffbf8da8277b45a3155aaddac5bab07007ecb Author: Andreas Rheinhardt <[email protected]> AuthorDate: Tue Dec 16 20:53:43 2025 +0100 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 15:20:56 2026 +0200 avformat/flac_picture: Correct check Since af97c9865fe7a48b223e162eabce21cc180f305c, the return value of avio_read() has been compared against an uint32_t, so that the int is promoted to uint32_t for the comparison (on common systems with 32bit ints). The upshot was that errors returned from avio_read() were ignored, so that the buffer could be uninitialized on success. Fix this by using ffio_read_size() instead. Fixes: MemorySanitizer: use-of-uninitialized-value Fixes: 443923343/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-5458132865449984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer <[email protected]> Signed-off-by: Andreas Rheinhardt <[email protected]> (cherry picked from commit 4aed9db83c9fee5577f9a0e4067d2eb8ab39c551) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/flac_picture.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/flac_picture.c b/libavformat/flac_picture.c index b33fee75b4..bf8c0de940 100644 --- a/libavformat/flac_picture.c +++ b/libavformat/flac_picture.c @@ -23,6 +23,7 @@ #include "libavcodec/bytestream.h" #include "libavcodec/png.h" #include "avformat.h" +#include "avio_internal.h" #include "demux.h" #include "flac_picture.h" #include "id3v2.h" @@ -160,8 +161,9 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t **bufp, int buf_size, // If truncation was detected copy all data from block and // read missing bytes not included in the block size. bytestream2_get_bufferu(&g, data->data, left); - if (avio_read(s->pb, data->data + len - trunclen, trunclen) < trunclen) - RETURN_ERROR(AVERROR_INVALIDDATA); + ret = ffio_read_size(s->pb, data->data + len - trunclen, trunclen); + if (ret < 0) + goto fail; } } memset(data->data + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
