xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/zmbv: reject XOR data that overruns the decompression buffer

Browse Source 
Add a per-block bounds check at the start of each XOR block so the
read is rejected before src crosses decomp_len, and propagate the
error from decode_frame().

Fixes: out of array read

Found-by: Seung Min Shin
This commit is contained in:
Michael Niedermayer
2026-05-02 11:11:02 +02:00
committed by michaelni
parent 2f60af465a
commit 2a991a3475
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavcodec/zmbv.c
+12 -2
View File
@@ -139,6 +139,8 @@ static int zmbv_decode_xor_8(ZmbvContext *c)
}
if (d) { /* apply XOR'ed difference */
if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2)
return AVERROR_INVALIDDATA;
out = output + x;
for (j = 0; j < bh2; j++) {
for (i = 0; i < bw2; i++)
@@ -213,6 +215,8 @@ static int zmbv_decode_xor_16(ZmbvContext *c)
}
if (d) { /* apply XOR'ed difference */
if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 2)
return AVERROR_INVALIDDATA;
out = output + x;
for (j = 0; j < bh2; j++){
for (i = 0; i < bw2; i++) {
@@ -297,6 +301,8 @@ static int zmbv_decode_xor_24(ZmbvContext *c)
}
if (d) { /* apply XOR'ed difference */
if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 3)
return AVERROR_INVALIDDATA;
out = output + x * 3;
for (j = 0; j < bh2; j++) {
for (i = 0; i < bw2; i++) {
@@ -375,6 +381,8 @@ static int zmbv_decode_xor_32(ZmbvContext *c)
}
if (d) { /* apply XOR'ed difference */
if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 4)
return AVERROR_INVALIDDATA;
out = output + x;
for (j = 0; j < bh2; j++){
for (i = 0; i < bw2; i++) {
@@ -569,8 +577,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
frame->pict_type = AV_PICTURE_TYPE_P;
if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh))
return AVERROR_INVALIDDATA;
if (c->decomp_len)
c->decode_xor(c);
if (c->decomp_len) {
if ((ret = c->decode_xor(c)) < 0)
return ret;
}
}
/* update frames */