PR #23239 opened by toots URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23239 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23239.patch
Cherry-picked from 6e0e13b0bf0493e764f0cdf9d0912b92e118bf32 Signed-off-by: Romain Beauxis <[email protected]> (cherry picked from commit efd5182ba9c317d98f06552795ddb0199f202cfe) >From dc0f7ff14e08c185d2c985bfba35722cc1b0811a Mon Sep 17 00:00:00 2001 From: Romain Beauxis <[email protected]> Date: Thu, 21 May 2026 20:55:41 +0000 Subject: [PATCH] avformat/oggparsevorbis.c: Prevent integer overflow when summing header lengths; add bounds check. Cherry-picked from 6e0e13b0bf0493e764f0cdf9d0912b92e118bf32 Signed-off-by: Romain Beauxis <[email protected]> (cherry picked from commit efd5182ba9c317d98f06552795ddb0199f202cfe) --- libavformat/oggparsevorbis.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 62cc2da6de..f6cd3fb52a 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -224,8 +224,11 @@ static int fixup_vorbis_headers(AVFormatContext *as, int i, offset, len, err; int buf_len; unsigned char *ptr; + uint64_t total_len = (uint64_t)priv->len[0] + priv->len[1] + priv->len[2]; + if (total_len + total_len / 255 + 64 > INT_MAX) + return AVERROR_INVALIDDATA; - len = priv->len[0] + priv->len[1] + priv->len[2]; + len = total_len; buf_len = len + len / 255 + 64; if (*buf) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
