[FFmpeg-cvslog] [ffmpeg] avcodec/dpx: Fix heap-buffer-overflow in 16-bit decoding (branch master)

Sun, 07 Dec 2025 11:41:40 -0800 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new 9849a274df avcodec/dpx: Fix heap-buffer-overflow in 16-bit decoding
9849a274df is described below

commit 9849a274dfdd3d59f8babb50fcebe2dcbdfeb2d4
Author:     Oliver Chang <[email protected]>
AuthorDate: Fri Dec 5 02:07:10 2025 +0000
Commit:     michaelni <[email protected]>
CommitDate: Sun Dec 7 19:41:02 2025 +0000

    avcodec/dpx: Fix heap-buffer-overflow in 16-bit decoding
    
    Fixes a heap-buffer-overflow in `libavcodec/dpx.c` triggered by a stale
    `unpadded_10bit` flag in the `DPXDecContext`. This flag, set for 10-bit
    unpadded frames, persisted across `decode_frame` calls. If a subsequent
    frame was 16-bit, the stale flag caused incorrect buffer size
    validation, allowing truncated buffers to pass checks designed for
    smaller 10-bit packed data. This led to an out-of-bounds read in
    `av_image_copy_plane` during 16-bit decoding.
    
    The fix explicitly resets `dpx->unpadded_10bit = 0` at the start of
    `decode_frame` to ensure correct validation for each frame.
    
    Fixes: https://issues.oss-fuzz.com/issues/464471792
    Signed-off-by: Michael Niedermayer <[email protected]>
    Fixes: out of array read
    Fixes: 
464471792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_DEC_fuzzer-5275522210004992
---
 libavcodec/dpx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index 7355b50f7a..8c075fd538 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -612,6 +612,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
     av_dict_set(&p->metadata, "Input Device", input_device, 0);
 
     // Some devices do not pad 10bit samples to whole 32bit words per row
+    dpx->unpadded_10bit = 0;
     if (!memcmp(input_device, "Scanity", 7) ||
         !memcmp(creator, "Lasergraphics Inc.", 18)) {
         if (avctx->bits_per_raw_sample == 10)

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to