PR #20922 opened by Shubin123 URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20922 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20922.patch
The film_write_packet() function reads encoded_buf_size from packet data via AV_RB24() and uses it in a modulo operation without validation. When the data contains zeros at this position, it causes division by zero. Add validation to return AVERROR_INVALIDDATA when encoded_buf_size is zero. >From 27c5051a7a659f8723bb5fc6afe754988a9c2c4e Mon Sep 17 00:00:00 2001 From: Shubin123 <[email protected]> Date: Fri, 14 Nov 2025 21:09:50 +0000 Subject: [PATCH] Update libavformat/segafilmenc.c The film_write_packet() function reads encoded_buf_size from packet data via AV_RB24() and uses it in a modulo operation without validation. When the data contains zeros at this position, it causes division by zero. Add validation to return AVERROR_INVALIDDATA when encoded_buf_size is zero. --- libavformat/segafilmenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/segafilmenc.c b/libavformat/segafilmenc.c index 88a5b9f972..2206ff9033 100644 --- a/libavformat/segafilmenc.c +++ b/libavformat/segafilmenc.c @@ -58,6 +58,10 @@ static int film_write_packet(AVFormatContext *format_context, AVPacket *pkt) if (codec_id == AV_CODEC_ID_CINEPAK) { encoded_buf_size = AV_RB24(&pkt->data[1]); /* Already Sega Cinepak, so no need to reformat the packets */ + if (encoded_buf_size == 0) { + av_log(format_context, AV_LOG_ERROR, "Invalid encoded_buf_size 0\n"); + return AVERROR_INVALIDDATA; + } if (encoded_buf_size != pkt->size && (pkt->size % encoded_buf_size) != 0) { avio_write(pb, pkt->data, pkt->size); } else { -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
