breeze/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2026-01-12 00:06:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

avformat/mpegts: bounds-check JPEG-XS header_size before padding

Browse Source 
Regression since: 536475ea05.

The JPEG-XS PES path trusted header_size from the payload and advanced
pkt->data/pkt->size without validation, so the trailing memset could
write out of bounds when header_size > pkt->size. Reject such packets,
marking them corrupt and returning an error to avoid the OOB write.

Repro (ASan):
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0   ./ffmpeg -v debug -nostdin -i poc-jpegxs.ts -copy_unknown -map 0   -c copy -f null /dev/null

Crash in new_pes_packet memset on crafted TS with stream_id 0xbd,
stream_type 0x32, header_size 0xFFFFFF00, payload starting with jxes.

Found-by: Pwno
This commit is contained in:
Ruikai Peng
2025-12-14 12:26:37 -05:00
committed by James Almer
parent 131a33c808
commit 16f89d342e
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/mpegts.c
View File

@@ -1035,6 +1035,13 @@ static int new_pes_packet(PESContext *pes, AVPacket *pkt)
pkt->size >= 8 && memcmp(pkt->data + 4, "jxes", 4) == 0)
{
uint32_t header_size = AV_RB32(pkt->data);
if (header_size > pkt->size) {
av_log(pes->stream, AV_LOG_WARNING,
"Invalid JPEG-XS header size %"PRIu32" > packet size %d\n",
header_size, pkt->size);
pes->flags |= AV_PKT_FLAG_CORRUPT;
return AVERROR_INVALIDDATA;
}
pkt->data += header_size;
pkt->size -= header_size;
}