On Wed, May 06, 2026 at 03:57:08PM +0530, Benedict Chacko via ffmpeg-devel wrote: > From: Benedict <[email protected]> > Date: Tue, 6 May2026 > > Summary: > Add a bounds check for nb_index_entries in jvdec.c before allocating > index_entries and frames arrays. This aligns with similar validation > present in other demuxers (e.g., rl2.c) and improves robustness when > handling malformed input. > > Details: > In read_header(), nb_index_entries is read from the input file and > used directly in allocation expressions: > > av_malloc(nb_index_entries * sizeof(AVIndexEntry)); > av_malloc(nb_index_entries * sizeof(JVFrame))); > > Adding a validation check ensures consistency with other demuxers and > prevents potential overflow scenarios on constrained platforms. > > Proposed fix: > > --- a/libavformat/jvdec.c > +++ b/libavformat/jvdec.c > @@ -95,6 +95,12 @@ static int read_header(AVFormatContext *s) > vst->duration = > vst->nb_frames = > asti->nb_index_entries = avio_rl16(pb); > + > + /* Validate nb_index_entries to prevent excessive allocation */ > + if (asti->nb_index_entries > INT_MAX / sizeof(AVIndexEntry) || > + asti->nb_index_entries > INT_MAX / sizeof(JVFrame)) { > + return AVERROR_INVALIDDATA; > + } > avpriv_set_pts_info(vst, 64, avio_rl16(pb), 1000); > > avio_skip(pb, 4); > > Rationale: > - Improves consistency with rl2.c and similar parsers
> - Adds defensive validation against malformed input i am struggling to see how malformed input is possible here. nb_index_entries is 16-bit, and sizeof(AVIndexEntry) and sizeof(JVFrame) are tiny. there is no chance of this ever exceeding INT_MAX, even on 32-bit architectures. -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
