This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/5.1 in repository ffmpeg.
commit 92c7be0d2e15fdf89ffff33c6506a595a2215f10 Author: Michael Niedermayer <[email protected]> AuthorDate: Sat May 2 11:11:02 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 16:03:28 2026 +0200 avcodec/zmbv: reject XOR data that overruns the decompression buffer Add a per-block bounds check at the start of each XOR block so the read is rejected before src crosses decomp_len, and propagate the error from decode_frame(). Fixes: out of array read Found-by: Seung Min Shin (cherry picked from commit 2a991a3475c6200682b8828f398d7fed619bb9e5) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/zmbv.c | 14 ++++++++++++-- tests/ref/fate/zmbv-8bit | 1 - 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 37c18e3a14..2df72cf543 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -138,6 +138,8 @@ static int zmbv_decode_xor_8(ZmbvContext *c) } if (d) { /* apply XOR'ed difference */ + if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2) + return AVERROR_INVALIDDATA; out = output + x; for (j = 0; j < bh2; j++) { for (i = 0; i < bw2; i++) @@ -212,6 +214,8 @@ static int zmbv_decode_xor_16(ZmbvContext *c) } if (d) { /* apply XOR'ed difference */ + if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 2) + return AVERROR_INVALIDDATA; out = output + x; for (j = 0; j < bh2; j++){ for (i = 0; i < bw2; i++) { @@ -296,6 +300,8 @@ static int zmbv_decode_xor_24(ZmbvContext *c) } if (d) { /* apply XOR'ed difference */ + if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 3) + return AVERROR_INVALIDDATA; out = output + x * 3; for (j = 0; j < bh2; j++) { for (i = 0; i < bw2; i++) { @@ -374,6 +380,8 @@ static int zmbv_decode_xor_32(ZmbvContext *c) } if (d) { /* apply XOR'ed difference */ + if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 4) + return AVERROR_INVALIDDATA; out = output + x; for (j = 0; j < bh2; j++){ for (i = 0; i < bw2; i++) { @@ -568,8 +576,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, frame->pict_type = AV_PICTURE_TYPE_P; if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) return AVERROR_INVALIDDATA; - if (c->decomp_len) - c->decode_xor(c); + if (c->decomp_len) { + if ((ret = c->decode_xor(c)) < 0) + return ret; + } } /* update frames */ diff --git a/tests/ref/fate/zmbv-8bit b/tests/ref/fate/zmbv-8bit index 7c2fab691f..9a7c96cb32 100644 --- a/tests/ref/fate/zmbv-8bit +++ b/tests/ref/fate/zmbv-8bit @@ -278,4 +278,3 @@ 0, 272, 272, 1, 192000, 0xd08e49d1 0, 273, 273, 1, 192000, 0xd08e49d1 0, 274, 274, 1, 192000, 0xd08e49d1 -0, 275, 275, 1, 192000, 0x1f34135f _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
