PR #23266 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23266
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23266.patch
The ADPCM_PSXC block loop in adpcm_decode_frame() (libavcodec/adpcm.c:
2770) iterates 'block < avpkt->size / block_align' times and, for
each block, consumes
channels * (1 + (block_align - 1) / channels)
input bytes via the *unchecked* bytestream2_get_byteu() reader. The
loop divides avpkt->size by block_align, so the loop bound is sound
only when the per-block consumption equals block_align — i.e. when
block_align is an exact multiple of channels. For any other
combination (e.g. block_align=9 with channels=8), each block consumes
more than block_align bytes; iterating avpkt->size/block_align
blocks then walks the input bytestream past avpkt->data +
avpkt->size, producing the heap-buffer-overflow READ at
libavcodec/bytestream.h:99 reported as ANT-2026-04052.
adpcm_decode_init() previously only enforced 'channels > 0' and
'block_align > 0' for PSXC. Tighten the init check to additionally
require 'block_align % channels == 0', which is the precise
invariant the decode loop depends on.
Reproducer: a crafted WAV header declaring channels=8, block_align=9
with the decoder forced via 'ffmpeg -c:a adpcm_psxc -i evil.wav'.
Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <[email protected]>
From 1891772309c0036a1db0e6de394d36a28355a59b Mon Sep 17 00:00:00 2001
From: David Korczynski <[email protected]>
Date: Thu, 21 May 2026 05:48:54 -0700
Subject: [PATCH] avcodec/adpcm: require block_align to be a multiple of
channels in ADPCM_PSXC init
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The ADPCM_PSXC block loop in adpcm_decode_frame() (libavcodec/adpcm.c:
2770) iterates 'block < avpkt->size / block_align' times and, for
each block, consumes
channels * (1 + (block_align - 1) / channels)
input bytes via the *unchecked* bytestream2_get_byteu() reader. The
loop divides avpkt->size by block_align, so the loop bound is sound
only when the per-block consumption equals block_align — i.e. when
block_align is an exact multiple of channels. For any other
combination (e.g. block_align=9 with channels=8), each block consumes
more than block_align bytes; iterating avpkt->size/block_align
blocks then walks the input bytestream past avpkt->data +
avpkt->size, producing the heap-buffer-overflow READ at
libavcodec/bytestream.h:99 reported as ANT-2026-04052.
adpcm_decode_init() previously only enforced 'channels > 0' and
'block_align > 0' for PSXC. Tighten the init check to additionally
require 'block_align % channels == 0', which is the precise
invariant the decode loop depends on.
Reproducer: a crafted WAV header declaring channels=8, block_align=9
with the decoder forced via 'ffmpeg -c:a adpcm_psxc -i evil.wav'.
Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <[email protected]>
---
libavcodec/adpcm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index e06aa7606b..6ff3dad613 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -294,7 +294,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
break;
case AV_CODEC_ID_ADPCM_PSXC:
max_channels = 8;
- if (avctx->ch_layout.nb_channels <= 0 || avctx->block_align <= 0)
+ if (avctx->ch_layout.nb_channels <= 0 || avctx->block_align <= 0 ||
+ avctx->block_align % avctx->ch_layout.nb_channels)
return AVERROR_INVALIDDATA;
break;
case AV_CODEC_ID_ADPCM_IMA_DAT4:
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
