avformat/ty: check rec_size
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 16 May 2026 19:14:40 +0000 (21:14 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 13 Jun 2026 02:14:24 +0000 (04:14 +0200)
Fixes: ada-4-poc.ty

change is based on the suggested fix

Found-by: Claude and Ada Logics. This issue was found by Anthropic from using agents to study security of open source projects
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4492ad7228a381c2f0c8b79d333a59c7657311c9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/ty.c

index c5ea4bf98d99ad95d481be9e01a1b0fe839dcc70..a2440c6293fc2b8546c4aafd398e57f55f3d23d4 100644 (file)
@@ -393,12 +393,16 @@ static int demux_video(AVFormatContext *s, TyRecHdr *rec_hdr, AVPacket *pkt)
     int got_packet = 0;
 
     if (subrec_type != 0x02 && subrec_type != 0x0c &&
-        subrec_type != 0x08 && rec_size > 4) {
+        subrec_type != 0x08 && rec_size > 7) {
+
         /* get the PTS from this packet if it has one.
          * on S1, only 0x06 has PES.  On S2, however, most all do.
          * Do NOT Pass the PES Header to the MPEG2 codec */
         es_offset1 = find_es_header(ty_VideoPacket, ty->chunk + ty->cur_chunk_pos, 5);
         if (es_offset1 != -1) {
+            if (rec_size < es_offset1 + VIDEO_PTS_OFFSET + 5)
+                return AVERROR_INVALIDDATA;
+
             ty->last_video_pts = ff_parse_pes_pts(
                     ty->chunk + ty->cur_chunk_pos + es_offset1 + VIDEO_PTS_OFFSET);
             if (subrec_type != 0x06) {