This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 6e0e13b0bf avformat/ogg: Fix overflow and stale oggvorbis_private
values
6e0e13b0bf is described below
commit 6e0e13b0bf0493e764f0cdf9d0912b92e118bf32
Author: Dale Curtis <[email protected]>
AuthorDate: Thu May 21 20:55:41 2026 +0000
Commit: toots <[email protected]>
CommitDate: Fri May 22 13:27:18 2026 +0000
avformat/ogg: Fix overflow and stale oggvorbis_private values
- Prevent integer overflow when summing header lengths; add bounds check.
- Re-initialize priv->vp with the new stream's extradata once all chained
stream headers are collected.
Signed-off-by: Dale Curtis <[email protected]>
---
libavformat/oggparsevorbis.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index ed81a431f6..4044ad3bf7 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -230,8 +230,11 @@ static int fixup_vorbis_headers(AVFormatContext *as,
int i, offset, len, err;
int buf_len;
unsigned char *ptr;
+ uint64_t total_len = (uint64_t)priv->len[0] + priv->len[1] + priv->len[2];
+ if (total_len + total_len / 255 + 64 > INT_MAX)
+ return AVERROR_INVALIDDATA;
- len = priv->len[0] + priv->len[1] + priv->len[2];
+ len = total_len;
buf_len = len + len / 255 + 64;
if (*buf)
@@ -605,6 +608,13 @@ static int vorbis_packet(AVFormatContext *s, int idx)
priv->comment_size = 0;
av_freep(&priv->setup);
priv->setup_size = 0;
+
+ av_vorbis_parse_free(&priv->vp);
+ priv->vp = av_vorbis_parse_init(os->new_extradata,
os->new_extradata_size);
+ if (!priv->vp) {
+ av_log(s, AV_LOG_ERROR, "Failed to re-initialize Vorbis parser\n");
+ return AVERROR_INVALIDDATA;
+ }
}
return skip_packet;
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
