PR #23147 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23147 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23147.patch
Fixes: signed integer overflow Fixes: ffmpeg_flv_read_packet_libavformat_flvdec.c_1900_26.poc Found-by: iceray-Li Signed-off-by: Michael Niedermayer <[email protected]> >From d74a1d604c054c356202846f45bd3c9add02e281 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 18 May 2026 23:37:12 +0200 Subject: [PATCH] avformat/flvdec: Check size at the top of the main loop Fixes: signed integer overflow Fixes: ffmpeg_flv_read_packet_libavformat_flvdec.c_1900_26.poc Found-by: iceray-Li Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/flvdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 902a875474..03310503d1 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1565,6 +1565,10 @@ skip: for (;;) { int track_size = size; + if (size < 0) { + ret = FFERROR_REDO; + goto leave; + } if (multitrack_type != MultitrackTypeOneTrack) { track_size = avio_rb24(s->pb); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
