From 162f75b5e6798b385bb3eadd8280eff52d03cf29 Mon Sep 17 00:00:00 2001 From: veygax Date: Sun, 2 Nov 2025 02:35:40 +0000 Subject: [PATCH] avcodec/exr: use tile dimensions in pxr24 UINT case update the switch statement for EXR_UINT in pxr24_uncompress to correctly use the tile width td->xsize instead of using the full window width s->xdelta. s->delta is larger than td->xsize which lead to two buffer overflows when interacting with the ptr variable in the same switch statement. Fixes: out of bounds read and write Found-by: veygax's insomnia network (INSOMNIA-1) Signed-off-by: veygax --- libavcodec/exr.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 2e500140e0..4a504344c5 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -748,12 +748,12 @@ static int pxr24_uncompress(const EXRContext *s, const uint8_t *src, break; case EXR_UINT: ptr[0] = in; - ptr[1] = ptr[0] + s->xdelta; - ptr[2] = ptr[1] + s->xdelta; - ptr[3] = ptr[2] + s->xdelta; - in = ptr[3] + s->xdelta; + ptr[1] = ptr[0] + td->xsize; + ptr[2] = ptr[1] + td->xsize; + ptr[3] = ptr[2] + td->xsize; + in = ptr[3] + td->xsize; - for (j = 0; j < s->xdelta; ++j) { + for (j = 0; j < td->xsize; ++j) { uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8 ) |