github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-22 05:40:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/exr: use tile dimensions in pxr24 UINT case

Browse Source 
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.

Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <veyga@veygax.dev>
This commit is contained in:
veygax
2025-11-02 02:35:40 +00:00
committed by Michael Niedermayer
parent 6e8cf0377f
commit 162f75b5e6
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/exr.c
View File

@@ -748,12 +748,12 @@ static int pxr24_uncompress(const EXRContext *s, const uint8_t *src,
break;
case EXR_UINT:
ptr[0] = in;
ptr[1] = ptr[0] + s->xdelta;
ptr[2] = ptr[1] + s->xdelta;
ptr[3] = ptr[2] + s->xdelta;
in = ptr[3] + s->xdelta;
ptr[1] = ptr[0] + td->xsize;
ptr[2] = ptr[1] + td->xsize;
ptr[3] = ptr[2] + td->xsize;
in = ptr[3] + td->xsize;
for (j = 0; j < s->xdelta; ++j) {
for (j = 0; j < td->xsize; ++j) {
uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
(*(ptr[1]++) << 16) |
(*(ptr[2]++) << 8 ) |