This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/5.1 in repository ffmpeg.
commit 20a720b0f35f2db13540d8d914d1802fccf4bc6c Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Thu Apr 23 02:47:11 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 15:21:19 2026 +0200 fftools/ffmpeg_opt: validate stream index in negative map handling Negative -map processing iterates previously parsed stream map entries and dereferences input_files[m->file_index]->ctx->streams[m->stream_index] without validating that stream_index is in range. A malformed earlier map can leave m->stream_index negative, which causes an out-of-bounds read when a later negative map walks existing entries. Check that stream_index is non-negative and below nb_streams before calling stream_specifier_match(). *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* Fixes: DFVULN-695 (cherry picked from commit 25a98586cc651bcf0419fcb2453b51ffa8f2fb86) Signed-off-by: Michael Niedermayer <[email protected]> --- fftools/ffmpeg_opt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index 7a4b5fed72..e2d53d1a7b 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -475,6 +475,8 @@ static int opt_map(void *optctx, const char *opt, const char *arg) for (i = 0; i < o->nb_stream_maps; i++) { m = &o->stream_maps[i]; if (file_idx == m->file_index && + m->stream_index >= 0 && + m->stream_index < input_files[m->file_index]->nb_streams && check_stream_specifier(input_files[m->file_index]->ctx, input_files[m->file_index]->ctx->streams[m->stream_index], *p == ':' ? p + 1 : p) > 0) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
