projects / ffmpeg.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bb0e3e7)
avformat/dhav: Fix off by length of read element error
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 19 Sep 2025 23:25:51 +0000 (01:25 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 19 Nov 2025 01:04:58 +0000 (02:04 +0100)
Fixes: out of array read
Fixes: BIGSLEEP-445383648
Fixes: crash_input_1/2/3.dhav

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 55e71768cf7d9cb395187be0cf38e97b9c454ea1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/dhav.c patch | blob | history

diff --git a/libavformat/dhav.c b/libavformat/dhav.c
index 21c9c530d6f11a3250139a7f8143ef6e5a75f8b0..b3fa612ab303d123ff73a28218d608ec48f29c13 100644 (file)
--- a/libavformat/dhav.c
+++ b/libavformat/dhav.c
@@ -251,7 +251,7 @@ static int64_t get_duration(AVFormatContext *s)
     unsigned date;
     int64_t size = avio_size(s->pb);
 
-    if (start_pos + 16 > size)
+    if (start_pos + 20 > size)
         return 0;
 
     avio_skip(s->pb, 16);
@@ -279,7 +279,7 @@ static int64_t get_duration(AVFormatContext *s)
         }
     }
 
-    if (pos < buffer_pos || pos + 16 > buffer_pos + buffer_size)
+    if (pos < buffer_pos || pos + 20 > buffer_pos + buffer_size)
         goto fail;
 
     date = AV_RL32(buffer + (pos - buffer_pos) + 16);
FFmpeg git repo