PR #21607 opened by Yalda URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21607 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21607.patch
fixes #21520 (unchecked avio_read() return leads to uninitialized memory read) >From 6e21df6bb2bd8acb4415a59721254d37e778c242 Mon Sep 17 00:00:00 2001 From: Yalda <[email protected]> Date: Fri, 30 Jan 2026 01:14:29 -0600 Subject: [PATCH 1/3] avformat/dtshddec: check return code of avio_read() Signed-off-by: Yalda <[email protected]> --- libavformat/dtshddec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/dtshddec.c b/libavformat/dtshddec.c index 28d3aeb47a..826a174051 100644 --- a/libavformat/dtshddec.c +++ b/libavformat/dtshddec.c @@ -119,7 +119,9 @@ static int dtshd_read_header(AVFormatContext *s) value = av_malloc(chunk_size); if (!value) goto skip; - avio_read(pb, value, chunk_size); + ret = avio_read(pb, value, chunk_size); + if (ret < 0) + return ret; value[chunk_size - 1] = 0; av_dict_set(&s->metadata, "fileinfo", value, AV_DICT_DONT_STRDUP_VAL); -- 2.52.0 >From 8ea3bbe42d89fbf9cdff11a5c83cb5029e166bf6 Mon Sep 17 00:00:00 2001 From: Yalda <[email protected]> Date: Fri, 30 Jan 2026 01:15:51 -0600 Subject: [PATCH 2/3] avformat/dss: check return code of avio_read() Signed-off-by: Yalda <[email protected]> --- libavformat/dss.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/dss.c b/libavformat/dss.c index 6cabdb5421..b7d25c644a 100644 --- a/libavformat/dss.c +++ b/libavformat/dss.c @@ -339,7 +339,10 @@ static int dss_read_seek(AVFormatContext *s, int stream_index, if (ret < 0) return ret; - avio_read(s->pb, header, DSS_AUDIO_BLOCK_HEADER_SIZE); + ret = avio_read(s->pb, header, DSS_AUDIO_BLOCK_HEADER_SIZE); + if (ret < 0) + return ret; + ctx->swap = !!(header[0] & 0x80); offset = 2*header[1] + 2*ctx->swap; if (offset < DSS_AUDIO_BLOCK_HEADER_SIZE) -- 2.52.0 >From 1ebf23a45b69064549c2bd400e27aeba66b51f3a Mon Sep 17 00:00:00 2001 From: Yalda <[email protected]> Date: Fri, 30 Jan 2026 01:17:41 -0600 Subject: [PATCH 3/3] avformat/mlvdec: check return code of avio_read() Signed-off-by: Yalda <[email protected]> --- libavformat/mlvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 3a5d211085..e9b3b2930a 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -74,12 +74,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) { unsigned int size; uint8_t version[8]; + int ret; avio_skip(pb, 4); size = avio_rl32(pb); if (size < 52) return AVERROR_INVALIDDATA; - avio_read(pb, version, 8); + ret = avio_read(pb, version, 8); + if (ret < 0) + return ret; if (memcmp(version, MLV_VERSION, 5) || avio_rl64(pb) != guid) return AVERROR_INVALIDDATA; avio_skip(pb, size - 24); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
