github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-20 21:00:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

avformat/img2dec: reject input images too big to fit into a single packet

Browse Source 
Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.

Fixes #YWH-PGM40646-32
This commit is contained in:
Timo Rothenpieler
2025-12-31 03:41:21 +01:00
parent 58bd5ad630
commit f6a95c7eb7
1 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
libavformat/img2dec.c
View File

@@ -365,8 +365,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
VideoDemuxData *s = s1->priv_data;
AVBPrint filename;
int i, res;
int size[3] = { 0 }, ret[3] = { 0 };
AVIOContext *f[3] = { NULL };
int ret[3] = { 0 };
int64_t size[3] = { 0 };
int64_t total_size;
AVIOContext *f[3] = { NULL };
AVCodecParameters *par = s1->streams[0]->codecpar;
av_bprint_init(&filename, 0, AV_BPRINT_SIZE_UNLIMITED);
@@ -456,7 +458,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
}
}
res = av_new_packet(pkt, size[0] + size[1] + size[2]);
total_size = size[0];
if (total_size > INT64_MAX - size[1])
return AVERROR_INVALIDDATA;
total_size += size[1];
if (total_size > INT64_MAX - size[2])
return AVERROR_INVALIDDATA;
total_size += size[2];
if (total_size > INT_MAX)
return AVERROR_INVALIDDATA;
res = av_new_packet(pkt, total_size);
if (res < 0) {
goto fail;
}