[FFmpeg-devel] [PATCH] avformat/segafilmenc: Fix division by zero with malformed Cinepak data
The film_write_packet() function reads encoded_buf_size from packet
data via AV_RB24() and uses it in a modulo operation without validation.
When the data contains zeros at this position, it causes division by zero.
Add validation to return AVERROR_INVALIDDATA when encoded_buf_size is zero.
Signed-off-by: Shubin123
---
libavformat/segafilmenc.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavformat/segafilmenc.c b/libavformat/segafilmenc.c
index 88a5b9f972..2206ff9033 100644
--- a/libavformat/segafilmenc.c
+++ b/libavformat/segafilmenc.c
@@ -58,6 +58,10 @@ static int film_write_packet(AVFormatContext
*format_context, AVPacket *pkt)
if (codec_id == AV_CODEC_ID_CINEPAK) {
encoded_buf_size = AV_RB24(&pkt->data[1]);
/* Already Sega Cinepak, so no need to reformat the packets */
+if (encoded_buf_size == 0) {
+av_log(format_context, AV_LOG_ERROR, "Invalid encoded_buf_size
0\n");
+return AVERROR_INVALIDDATA;
+}
if (encoded_buf_size != pkt->size && (pkt->size % encoded_buf_size) !=
0) {
avio_write(pb, pkt->data, pkt->size);
} else {
--
2.34.1
___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
[FFmpeg-devel] [PATCH] Update libavformat/segafilmenc.c (PR #20922)
PR #20922 opened by Shubin123
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20922
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20922.patch
The film_write_packet() function reads encoded_buf_size from packet
data via AV_RB24() and uses it in a modulo operation without validation.
When the data contains zeros at this position, it causes division by zero.
Add validation to return AVERROR_INVALIDDATA when encoded_buf_size is zero.
>From 27c5051a7a659f8723bb5fc6afe754988a9c2c4e Mon Sep 17 00:00:00 2001
From: Shubin123
Date: Fri, 14 Nov 2025 21:09:50 +
Subject: [PATCH] Update libavformat/segafilmenc.c
The film_write_packet() function reads encoded_buf_size from packet
data via AV_RB24() and uses it in a modulo operation without validation.
When the data contains zeros at this position, it causes division by zero.
Add validation to return AVERROR_INVALIDDATA when encoded_buf_size is zero.
---
libavformat/segafilmenc.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavformat/segafilmenc.c b/libavformat/segafilmenc.c
index 88a5b9f972..2206ff9033 100644
--- a/libavformat/segafilmenc.c
+++ b/libavformat/segafilmenc.c
@@ -58,6 +58,10 @@ static int film_write_packet(AVFormatContext
*format_context, AVPacket *pkt)
if (codec_id == AV_CODEC_ID_CINEPAK) {
encoded_buf_size = AV_RB24(&pkt->data[1]);
/* Already Sega Cinepak, so no need to reformat the packets */
+if (encoded_buf_size == 0) {
+av_log(format_context, AV_LOG_ERROR, "Invalid encoded_buf_size
0\n");
+return AVERROR_INVALIDDATA;
+}
if (encoded_buf_size != pkt->size && (pkt->size % encoded_buf_size) !=
0) {
avio_write(pb, pkt->data, pkt->size);
} else {
--
2.49.1
___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
[FFmpeg-devel] [PATCH] avformat/segafilmenc: Fix division by zero with malformed Cinepak data
The film_write_packet() function reads encoded_buf_size from packet
data via AV_RB24() and uses it in a modulo operation without validation.
When the data contains zeros at this position, it causes division by zero.
Add validation to return AVERROR_INVALIDDATA when encoded_buf_size is zero.
Signed-off-by: Shubin123
---
libavformat/segafilmenc.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavformat/segafilmenc.c b/libavformat/segafilmenc.c
index 88a5b9f972..2206ff9033 100644
--- a/libavformat/segafilmenc.c
+++ b/libavformat/segafilmenc.c
@@ -58,6 +58,10 @@ static int film_write_packet(AVFormatContext
*format_context, AVPacket *pkt)
if (codec_id == AV_CODEC_ID_CINEPAK) {
encoded_buf_size = AV_RB24(&pkt->data[1]);
/* Already Sega Cinepak, so no need to reformat the packets */
+if (encoded_buf_size == 0) {
+av_log(format_context, AV_LOG_ERROR, "Invalid encoded_buf_size
0\n");
+return AVERROR_INVALIDDATA;
+}
if (encoded_buf_size != pkt->size && (pkt->size % encoded_buf_size) !=
0) {
avio_write(pb, pkt->data, pkt->size);
} else {
--
2.34.1
___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
