xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/avidec: validate INFO list size before parsing

Browse Source 
Reject INFO list chunks that are too small to contain the expected
4-byte list type field before calling ff_read_riff_info().

The parser subtracts 4 from the list size when handing the remaining
payload to ff_read_riff_info(). If the chunk is smaller than 4 bytes,
that underflows the expected structure and should be treated as invalid
input.

Fixes: DFVULN-607

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

(cherry picked from commit f1c3f1cae1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
depthfirst-dev[bot]
2026-04-23 02:47:11 +00:00
committed by Michael Niedermayer
parent 5de49f09d8
commit 5d142f8dc3
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/avidec.c
+4 -2
View File
@@ -545,9 +545,11 @@ static int avi_read_header(AVFormatContext *s)
avi->movi_end = avi->fsize;
av_log(s, AV_LOG_TRACE, "movi end=%"PRIx64"\n", avi->movi_end);
goto end_of_header;
} else if (tag1 == MKTAG('I', 'N', 'F', 'O'))
} else if (tag1 == MKTAG('I', 'N', 'F', 'O')) {
if (size < 4)
return AVERROR_INVALIDDATA;
ff_read_riff_info(s, size - 4);
else if (tag1 == MKTAG('n', 'c', 'd', 't'))
} else if (tag1 == MKTAG('n', 'c', 'd', 't'))
avi_read_nikon(s, list_end);
break;