PR #23387 opened by toots URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23387 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23387.patch
Cherry-picked from 6e0e13b0bf0493e764f0cdf9d0912b92e118bf32 Signed-off-by: Romain Beauxis <[email protected]> >From 392e8f72eb2cc89fcbb3b06742637844d7991556 Mon Sep 17 00:00:00 2001 From: Romain Beauxis <[email protected]> Date: Thu, 21 May 2026 20:55:41 +0000 Subject: [PATCH] avformat/oggparsevorbis.c: Prevent integer overflow when summing header lengths; add bounds check. Cherry-picked from 6e0e13b0bf0493e764f0cdf9d0912b92e118bf32 Signed-off-by: Romain Beauxis <[email protected]> --- libavformat/oggparsevorbis.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 061840c2ed..17cf713e4c 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -223,8 +223,11 @@ static int fixup_vorbis_headers(AVFormatContext *as, int i, offset, len, err; int buf_len; unsigned char *ptr; + uint64_t total_len = (uint64_t)priv->len[0] + priv->len[1] + priv->len[2]; + if (total_len + total_len / 255 + 64 > INT_MAX) + return AVERROR_INVALIDDATA; - len = priv->len[0] + priv->len[1] + priv->len[2]; + len = total_len; buf_len = len + len / 255 + 64; if (*buf) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
