avcodec/zmbv: reject XOR data that overruns the decompression buffer

Add a per-block bounds check at the start of each XOR block so the read is rejected before src crosses decomp_len, and propagate the error from decode_frame(). Fixes: out of array read Found-by: Seung Min Shin (cherry picked from commit 2a991a3475) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2026-05-02 11:11:02 +02:00
parent 88580e69b8
commit b7580604ca
2 changed files with 12 additions and 3 deletions
@@ -136,6 +136,8 @@ static int zmbv_decode_xor_8(ZmbvContext *c)
            }

            if (d) { /* apply XOR'ed difference */
+                if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2)
+                    return AVERROR_INVALIDDATA;
                out = output + x;
                for (j = 0; j < bh2; j++) {
                    for (i = 0; i < bw2; i++)
@@ -210,6 +212,8 @@ static int zmbv_decode_xor_16(ZmbvContext *c)
            }

            if (d) { /* apply XOR'ed difference */
+                if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 2)
+                    return AVERROR_INVALIDDATA;
                out = output + x;
                for (j = 0; j < bh2; j++){
                    for (i = 0; i < bw2; i++) {
@@ -294,6 +298,8 @@ static int zmbv_decode_xor_24(ZmbvContext *c)
            }

            if (d) { /* apply XOR'ed difference */
+                if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 3)
+                    return AVERROR_INVALIDDATA;
                out = output + x * 3;
                for (j = 0; j < bh2; j++) {
                    for (i = 0; i < bw2; i++) {
@@ -372,6 +378,8 @@ static int zmbv_decode_xor_32(ZmbvContext *c)
            }

            if (d) { /* apply XOR'ed difference */
+                if (c->decomp_len - (src - c->decomp_buf) < bw2 * bh2 * 4)
+                    return AVERROR_INVALIDDATA;
                out = output + x;
                for (j = 0; j < bh2; j++){
                    for (i = 0; i < bw2; i++) {
@@ -564,8 +572,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
        frame->pict_type = AV_PICTURE_TYPE_P;
        if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh))
            return AVERROR_INVALIDDATA;
-        if (c->decomp_len)
-            c->decode_xor(c);
+        if (c->decomp_len) {
+            if ((ret = c->decode_xor(c)) < 0)
+                return ret;
+        }
    }

    /* update frames */
@@ -278,4 +278,3 @@
 0,        272,        272,        1,   192000, 0xd08e49d1
 0,        273,        273,        1,   192000, 0xd08e49d1
 0,        274,        274,        1,   192000, 0xd08e49d1
-0,        275,        275,        1,   192000, 0x1f34135f