Stowage/ffmpeg
2
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-04 14:40:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

avformat/cafdec: fix negative index use in read_seek

Browse source 
av_index_search_timestamp() returns a negative value when a seek target
cannot be resolved from the stream index. Bail out before using that
result as an index into sti->index_entries to avoid out-of-bounds reads.

Fixes: Buffer underflow

Fixes: DFVULN-608

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

(cherry picked from commit 5408059eb7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
depthfirst-dev[bot] 2026-04-23 02:47:11 +00:00 committed by Michael Niedermayer
parent bfc92275ef
commit fe784a186d
No known key found for this signature in database
GPG key ID: B18E8928B3948D64
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
libavformat/cafdec.c
View file

@ -505,6 +505,8 @@ static int read_seek(AVFormatContext *s, int stream_index,
frame_cnt = caf->frames_per_packet * packet_cnt;
} else if (sti->nb_index_entries) {
packet_cnt = av_index_search_timestamp(st, timestamp, flags);
if (packet_cnt < 0)
return -1;
frame_cnt = sti->index_entries[packet_cnt].timestamp;
pos = sti->index_entries[packet_cnt].pos;
} else {