PR #23175 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23175 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23175.patch
decode_zbuf() inflates zTXt (compressed text) and iCCP (ICC profile) chunk payloads into an AVBPrint created with AV_BPRINT_SIZE_UNLIMITED and never checks the decompressed size. A ~100 KB zTXt chunk of compressed zeros expands to 100 MB; larger ratios or multiple chunks can exhaust memory. Abort with AVERROR_INVALIDDATA once the decompressed output crosses a hard cap (16 MiB). Verified with a crafted PNG (1 KB compressed -> 100 MB decompressed): without the patch the chunk fully decompresses, taking >100 MB; with the patch the inflate loop aborts and the decoder logs "Compressed PNG chunk expands beyond 16777216 bytes" / "Broken zTXt chunk" while the rest of the image decodes normally. Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. >From b3e5f1ec0cff052aec77859446e669985ab6c715 Mon Sep 17 00:00:00 2001 From: Franciszek Kalinowski <[email protected]> Date: Tue, 19 May 2026 09:38:28 +0200 Subject: [PATCH] avcodec/pngdec: bound decompressed zTXt/iCCP size (decompression-bomb guard) decode_zbuf() inflates zTXt (compressed text) and iCCP (ICC profile) chunk payloads into an AVBPrint created with AV_BPRINT_SIZE_UNLIMITED and never checks the decompressed size. A ~100 KB zTXt chunk of compressed zeros expands to 100 MB; larger ratios or multiple chunks can exhaust memory. Abort with AVERROR_INVALIDDATA once the decompressed output crosses a hard cap (16 MiB). Verified with a crafted PNG (1 KB compressed -> 100 MB decompressed): without the patch the chunk fully decompresses, taking >100 MB; with the patch the inflate loop aborts and the decoder logs "Compressed PNG chunk expands beyond 16777216 bytes" / "Broken zTXt chunk" while the rest of the image decodes normally. Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. --- libavcodec/pngdec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 142a88d665..0030fa5615 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -450,6 +450,9 @@ static int png_decode_idat(PNGDecContext *s, GetByteContext *gb, return 0; } +/* Hard cap on decompressed zTXt/iCCP payloads to defeat decompression bombs. */ +#define PNG_ZBUF_MAX_DECOMPRESSED (16 * 1024 * 1024) + static int decode_zbuf(AVBPrint *bp, const uint8_t *data, const uint8_t *data_end, void *logctx) { @@ -466,6 +469,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, av_bprint_init(bp, 0, AV_BPRINT_SIZE_UNLIMITED); while (zstream->avail_in > 0) { + if (bp->len > PNG_ZBUF_MAX_DECOMPRESSED) { + av_log(logctx, AV_LOG_ERROR, + "Compressed PNG chunk expands beyond %d bytes, aborting\n", + PNG_ZBUF_MAX_DECOMPRESSED); + ret = AVERROR_INVALIDDATA; + goto fail; + } av_bprint_get_buffer(bp, 2, &buf, &buf_size); if (buf_size < 2) { ret = AVERROR(ENOMEM); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
