The branch, master has been updated
via 041d4f010e9fd73d661b2fc48309dd7f548a1481 (commit)
from e3e32650348dc7adf71e184f9d2aa4912e62696e (commit)
- Log -----------------------------------------------------------------
commit 041d4f010e9fd73d661b2fc48309dd7f548a1481
Author: Oliver Chang <[email protected]>
AuthorDate: Wed Dec 3 02:57:43 2025 +0000
Commit: Lynne <[email protected]>
CommitDate: Wed Dec 3 16:40:02 2025 +0000
libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame
Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read
from the bitstream was not validated against the remaining bytes in the
input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size
exceeding the actual packet data, leading to an out-of-bounds read.
The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is
greater than or equal to `header_len - 2` before initializing `gb_hdr`.
Fixes: https://issues.oss-fuzz.com/issues/439711053
diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c
index 01f1bbd2fb..8be566ed36 100644
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -360,7 +360,7 @@ static int decode_frame(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
int header_len = bytestream2_get_be16(&gb);
- if (header_len < 62)
+ if (header_len < 62 || bytestream2_get_bytes_left(&gb) < header_len - 2)
return AVERROR_INVALIDDATA;
GetByteContext gb_hdr;
-----------------------------------------------------------------------
Summary of changes:
libavcodec/prores_raw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
