From 041d4f010e9fd73d661b2fc48309dd7f548a1481 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Wed, 3 Dec 2025 02:57:43 +0000 Subject: [PATCH] libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read from the bitstream was not validated against the remaining bytes in the input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size exceeding the actual packet data, leading to an out-of-bounds read. The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is greater than or equal to `header_len - 2` before initializing `gb_hdr`. Fixes: https://issues.oss-fuzz.com/issues/439711053 --- libavcodec/prores_raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c index 01f1bbd2fb..8be566ed36 100644 --- a/libavcodec/prores_raw.c +++ b/libavcodec/prores_raw.c @@ -360,7 +360,7 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; int header_len = bytestream2_get_be16(&gb); - if (header_len < 62) + if (header_len < 62 || bytestream2_get_bytes_left(&gb) < header_len - 2) return AVERROR_INVALIDDATA; GetByteContext gb_hdr;