This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/5.1 in repository ffmpeg.
commit f95473ac3cccd820aa139eb25c734773c22cf869 Author: Michael Niedermayer <[email protected]> AuthorDate: Wed Apr 8 11:17:47 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 15:21:16 2026 +0200 avcodec/tdsc: Check tile_size Fixes: out of array read Fixes: tdsc_war_groom_far4096.avi Found by: Ante Silovic <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit e9e6fb879835a4016b433ad2c4a224f62c686de3) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/tdsc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index 0cf17d75dd..ff79c80153 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -437,6 +437,9 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) if (ret < 0) return ret; } else if (tile_mode == MKTAG(' ','W','A','R')) { + if (3LL * w * h > tile_size) + return AVERROR_INVALIDDATA; + /* Just copy the buffer to output */ av_image_copy_plane(ctx->refframe->data[0] + x * 3 + ctx->refframe->linesize[0] * y, _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
