PR #23124 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23124 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23124.patch
Fixes: ada-4-poc.ty change is based on the suggested fix Found-by: Claude and Ada Logics. This issue was found by Anthropic from using agents to study security of open source projects Signed-off-by: Michael Niedermayer <[email protected]> >From abdf2be47fc4ce2a9a644c60c5f75515a467ed2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sat, 16 May 2026 21:14:40 +0200 Subject: [PATCH] avformat/ty: check rec_size Fixes: ada-4-poc.ty change is based on the suggested fix Found-by: Claude and Ada Logics. This issue was found by Anthropic from using agents to study security of open source projects Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/ty.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/ty.c b/libavformat/ty.c index c637c35e7c..9be027fcca 100644 --- a/libavformat/ty.c +++ b/libavformat/ty.c @@ -396,12 +396,16 @@ static int demux_video(AVFormatContext *s, TyRecHdr *rec_hdr, AVPacket *pkt) int got_packet = 0; if (subrec_type != 0x02 && subrec_type != 0x0c && - subrec_type != 0x08 && rec_size > 4) { + subrec_type != 0x08 && rec_size > 7) { + /* get the PTS from this packet if it has one. * on S1, only 0x06 has PES. On S2, however, most all do. * Do NOT Pass the PES Header to the MPEG2 codec */ es_offset1 = find_es_header(ty_VideoPacket, ty->chunk + ty->cur_chunk_pos, 5); if (es_offset1 != -1) { + if (rec_size < es_offset1 + VIDEO_PTS_OFFSET + 5) + return AVERROR_INVALIDDATA; + ty->last_video_pts = ff_parse_pes_pts( ty->chunk + ty->cur_chunk_pos + es_offset1 + VIDEO_PTS_OFFSET); if (subrec_type != 0x06) { -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
