PR #21180 opened by ruikai URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21180 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21180.patch
fflcms2 caches tone curves in an array indexed by AVColorTransferCharacteristic values up to AVCOL_TRC_NB. After the introduction of extended transfer characteristics (e.g. Panasonic V-Log with value 256), get_curve() could be called with such values and attempt to index s->curves[trc] out of bounds when generating ICC profiles. Restrict get_curve() to base TRC values and return AVERROR_PATCHWELCOME for any transfer characteristic greater than or equal to AVCOL_TRC_NB. This avoids out-of-bounds accesses for extended TRCs while leaving the behavior for supported base TRCs unchanged. Repro on x86_64 with clang+ASan, lcms2 enabled, at aeb9b19ebc: ASAN_OPTIONS=detect_leaks=0 ./ffmpeg -v error -f lavfi -i testsrc2=size=16x16:rate=1 -frames:v 1 -vf setparams=color_trc=vlog,iccgen -f null - This triggers an ASan heap-buffer-overflow in get_curve(), reading s->curves[256] and reporting roughly 237 * 8 = 1896 bytes of out-of-bounds heap data before the function returns AVERROR_PATCHWELCOME for V-Log. Impact: denial of service via crafted ICC-generation filtergraphs that use extended transfer characteristics (e.g. setparams=color_trc=vlog followed by iccgen) on builds with lcms2 and Panasonic V-Log support enabled. Regression since: aeb9b19ebc Found-by: Pwno >From 53c644e84783e829ff103adbab6b189be733360c Mon Sep 17 00:00:00 2001 From: Ruikai Peng <[email protected]> Date: Fri, 12 Dec 2025 13:44:55 -0500 Subject: [PATCH] avcodec/fflcms2: reject extended TRCs in ICC generator fflcms2 caches tone curves in an array indexed by AVColorTransferCharacteristic values up to AVCOL_TRC_NB. After the introduction of extended transfer characteristics (e.g. Panasonic V-Log with value 256), get_curve() could be called with such values and attempt to index s->curves[trc] out of bounds when generating ICC profiles. Restrict get_curve() to base TRC values and return AVERROR_PATCHWELCOME for any transfer characteristic greater than or equal to AVCOL_TRC_NB. This avoids out-of-bounds accesses for extended TRCs while leaving the behavior for supported base TRCs unchanged. Repro on x86_64 with clang+ASan, lcms2 enabled, at aeb9b19ebc: ASAN_OPTIONS=detect_leaks=0 ./ffmpeg -v error -f lavfi -i testsrc2=size=16x16:rate=1 -frames:v 1 -vf setparams=color_trc=vlog,iccgen -f null - This triggers an ASan heap-buffer-overflow in get_curve(), reading s->curves[256] and reporting roughly 237 * 8 = 1896 bytes of out-of-bounds heap data before the function returns AVERROR_PATCHWELCOME for V-Log. Impact: denial of service via crafted ICC-generation filtergraphs that use extended transfer characteristics (e.g. setparams=color_trc=vlog followed by iccgen) on builds with lcms2 and Panasonic V-Log support enabled. Regression since: aeb9b19ebc Found-by: Pwno --- libavcodec/fflcms2.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/fflcms2.c b/libavcodec/fflcms2.c index 3c7f3dc07f..1ade9cf298 100644 --- a/libavcodec/fflcms2.c +++ b/libavcodec/fflcms2.c @@ -50,7 +50,11 @@ void ff_icc_context_uninit(FFIccContext *s) static int get_curve(FFIccContext *s, enum AVColorTransferCharacteristic trc, cmsToneCurve **out_curve) { - if ((unsigned)trc < AVCOL_TRC_NB && s->curves[trc]) + /* Only base TRCs are cached here; extended TRCs aren't supported yet. */ + if ((unsigned)trc >= AVCOL_TRC_NB) + return AVERROR_PATCHWELCOME; + + if (s->curves[trc]) goto done; switch (trc) { @@ -125,7 +129,6 @@ static int get_curve(FFIccContext *s, enum AVColorTransferCharacteristic trc, case AVCOL_TRC_BT1361_ECG: case AVCOL_TRC_SMPTE2084: case AVCOL_TRC_ARIB_STD_B67: - case AVCOL_TRC_V_LOG: return AVERROR_PATCHWELCOME; default: -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
