This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 6d8f7882ae avcodec/adpcm: require block_align to be a multiple of
channels in ADPCM_PSXC init
6d8f7882ae is described below
commit 6d8f7882ae6e7b7b86697474ee1a3755dfba1858
Author: David Korczynski <[email protected]>
AuthorDate: Thu May 21 05:48:54 2026 -0700
Commit: michaelni <[email protected]>
CommitDate: Wed Jun 3 20:33:19 2026 +0000
avcodec/adpcm: require block_align to be a multiple of channels in
ADPCM_PSXC init
The ADPCM_PSXC block loop in adpcm_decode_frame() (libavcodec/adpcm.c:
2770) iterates 'block < avpkt->size / block_align' times and, for
each block, consumes
channels * (1 + (block_align - 1) / channels)
input bytes via the *unchecked* bytestream2_get_byteu() reader. The
loop divides avpkt->size by block_align, so the loop bound is sound
only when the per-block consumption equals block_align — i.e. when
block_align is an exact multiple of channels. For any other
combination (e.g. block_align=9 with channels=8), each block consumes
more than block_align bytes; iterating avpkt->size/block_align
blocks then walks the input bytestream past avpkt->data +
avpkt->size, producing the heap-buffer-overflow READ at
libavcodec/bytestream.h:99 reported as ANT-2026-04052.
adpcm_decode_init() previously only enforced 'channels > 0' and
'block_align > 0' for PSXC. Tighten the init check to additionally
require 'block_align % channels == 0', which is the precise
invariant the decode loop depends on.
Reproducer: a crafted WAV header declaring channels=8, block_align=9
with the decoder forced via 'ffmpeg -c:a adpcm_psxc -i evil.wav'.
Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <[email protected]>
---
libavcodec/adpcm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index e06aa7606b..6ff3dad613 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -294,7 +294,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
break;
case AV_CODEC_ID_ADPCM_PSXC:
max_channels = 8;
- if (avctx->ch_layout.nb_channels <= 0 || avctx->block_align <= 0)
+ if (avctx->ch_layout.nb_channels <= 0 || avctx->block_align <= 0 ||
+ avctx->block_align % avctx->ch_layout.nb_channels)
return AVERROR_INVALIDDATA;
break;
case AV_CODEC_ID_ADPCM_IMA_DAT4:
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
