The branch, master has been updated
via 7896cc67c13037abba8941e39a74c56d26b775a7 (commit)
via c911e0001115bbda904ad103b12c27b9a3c0c265 (commit)
via 8e078826da6f2a1dffa25162121b43b272f5e5fa (commit)
from ef60d5ac32a71d62e09630acc73b56f09a7d5ef2 (commit)
- Log -----------------------------------------------------------------
commit 7896cc67c13037abba8941e39a74c56d26b775a7
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:18:30 2025 +0200
Commit: michaelni <[email protected]>
CommitDate: Wed Oct 8 00:27:49 2025 +0000
avcodec/exr: Check that DWA has 3 channels
The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9da935b382..c83325aa52 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1005,6 +1005,11 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
if (version != 2)
return AVERROR_INVALIDDATA;
+ if (s->nb_channels < 3) {
+ avpriv_request_sample(s->avctx, "Gray DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+
lo_usize = AV_RL64(src + 8);
lo_size = AV_RL64(src + 16);
ac_size = AV_RL64(src + 24);
commit c911e0001115bbda904ad103b12c27b9a3c0c265
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 21:28:04 2025 +0200
Commit: michaelni <[email protected]>
CommitDate: Wed Oct 8 00:27:49 2025 +0000
avcodec/exr: Round dc_w/h up
Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file
Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b772f1f74a..9da935b382 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -992,8 +992,8 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
int64_t version, lo_usize, lo_size;
int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
int64_t ac_count, dc_count, ac_compression;
- const int dc_w = td->xsize >> 3;
- const int dc_h = td->ysize >> 3;
+ const int dc_w = (td->xsize + 7) >> 3;
+ const int dc_h = (td->ysize + 7) >> 3;
GetByteContext gb, agb;
int skip, ret;
int have_rle = 0;
@@ -1031,6 +1031,10 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
return AVERROR_INVALIDDATA;
}
+ if (td->xsize % 8 || td->ysize % 8) {
+ avpriv_request_sample(s->avctx, "odd dimensions DWA");
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
commit 8e078826da6f2a1dffa25162121b43b272f5e5fa
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 17:32:46 2025 +0200
Commit: michaelni <[email protected]>
CommitDate: Wed Oct 8 00:27:49 2025 +0000
avcodec/exr: check ac_size
Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr
The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index e6051567d1..b772f1f74a 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1021,6 +1021,11 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
)
return AVERROR_INVALIDDATA;
+ if (ac_size <= 0) {
+ avpriv_request_sample(s->avctx, "Zero ac_size");
+ return AVERROR_INVALIDDATA;
+ }
+
if ((uint64_t)rle_raw_size > INT_MAX) {
avpriv_request_sample(s->avctx, "Too big rle_raw_size");
return AVERROR_INVALIDDATA;
-----------------------------------------------------------------------
Summary of changes:
libavcodec/exr.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
