This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 4492ad7228 avformat/ty: check rec_size
4492ad7228 is described below
commit 4492ad7228a381c2f0c8b79d333a59c7657311c9
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat May 16 21:14:40 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Sat May 23 00:04:46 2026 +0000
avformat/ty: check rec_size
Fixes: ada-4-poc.ty
change is based on the suggested fix
Found-by: Claude and Ada Logics. This issue was found by Anthropic from
using agents to study security of open source projects
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavformat/ty.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/ty.c b/libavformat/ty.c
index c637c35e7c..9be027fcca 100644
--- a/libavformat/ty.c
+++ b/libavformat/ty.c
@@ -396,12 +396,16 @@ static int demux_video(AVFormatContext *s, TyRecHdr
*rec_hdr, AVPacket *pkt)
int got_packet = 0;
if (subrec_type != 0x02 && subrec_type != 0x0c &&
- subrec_type != 0x08 && rec_size > 4) {
+ subrec_type != 0x08 && rec_size > 7) {
+
/* get the PTS from this packet if it has one.
* on S1, only 0x06 has PES. On S2, however, most all do.
* Do NOT Pass the PES Header to the MPEG2 codec */
es_offset1 = find_es_header(ty_VideoPacket, ty->chunk +
ty->cur_chunk_pos, 5);
if (es_offset1 != -1) {
+ if (rec_size < es_offset1 + VIDEO_PTS_OFFSET + 5)
+ return AVERROR_INVALIDDATA;
+
ty->last_video_pts = ff_parse_pes_pts(
ty->chunk + ty->cur_chunk_pos + es_offset1 +
VIDEO_PTS_OFFSET);
if (subrec_type != 0x06) {
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
