[FFmpeg-devel] [PATCH] avcodec/exr: use tile dimensions in pxr24 UINT case (PR #20821)

Sun, 02 Nov 2025 13:24:52 -0800 

PR #20821 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20821
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20821.patch

update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.

Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <[email protected]>


>From 60657f201e11532457863a9ce90b2198937fb96c Mon Sep 17 00:00:00 2001
From: veygax <[email protected]>
Date: Sun, 2 Nov 2025 02:35:40 +0000
Subject: [PATCH] avcodec/exr: use tile dimensions in pxr24 UINT case

update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.

Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <[email protected]>
---
 libavcodec/exr.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c83325aa52..733ad76316 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -745,12 +745,12 @@ static int pxr24_uncompress(const EXRContext *s, const 
uint8_t *src,
                 break;
             case EXR_UINT:
                 ptr[0] = in;
-                ptr[1] = ptr[0] + s->xdelta;
-                ptr[2] = ptr[1] + s->xdelta;
-                ptr[3] = ptr[2] + s->xdelta;
-                in     = ptr[3] + s->xdelta;
+                ptr[1] = ptr[0] + td->xsize;
+                ptr[2] = ptr[1] + td->xsize;
+                ptr[3] = ptr[2] + td->xsize;
+                in     = ptr[3] + td->xsize;
 
-                for (j = 0; j < s->xdelta; ++j) {
+                for (j = 0; j < td->xsize; ++j) {
                     uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
                     (*(ptr[1]++) << 16) |
                     (*(ptr[2]++) << 8 ) |
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to