breeze/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2026-01-12 00:06:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame

Browse Source 
Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read
from the bitstream was not validated against the remaining bytes in the
input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size
exceeding the actual packet data, leading to an out-of-bounds read.

The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is
greater than or equal to `header_len - 2` before initializing `gb_hdr`.

Fixes: https://issues.oss-fuzz.com/issues/439711053
This commit is contained in:
Oliver Chang
2025-12-03 02:57:43 +00:00
committed by Lynne
parent e3e3265034
commit 041d4f010e
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libavcodec/prores_raw.c
View File

@@ -360,7 +360,7 @@ static int decode_frame(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
int header_len = bytestream2_get_be16(&gb);
if (header_len < 62)
if (header_len < 62 || bytestream2_get_bytes_left(&gb) < header_len - 2)
return AVERROR_INVALIDDATA;
GetByteContext gb_hdr;