Kodi's current stable (Omega / v21) pins FFmpeg n6.0.1 (tools/depends/target/ffmpeg/FFMPEG-VERSION). That release still has CVE-2024-7055, an integer overflow in the PNM/PFM decoder that ends in an out-of-bounds heap read.
In libavcodec/pnmdec.c the buffer size is computed in int. A PFM declaring width=height=13385 overflows it (133851338512 wraps negative), so the size check is bypassed and the decoder reads past the allocation.
Built the n6.0.1 tree with -fsanitize=address,undefined and ran:
ffmpeg -i poc.pfm -f null -
gives:
libavcodec/pnmdec.c:267:46: runtime error: signed integer overflow: 179158225 * 12 cannot be represented in type 'int'
PoC is a 68-byte PFM header declaring 13385x13385. Upstream fixed it by widening the multiply to 64-bit; current FFmpeg releases are not affected.
It's reachable through the bundled decoder, so bumping the pinned FFmpeg (or backporting the fix) resolves it.
Kodi's current stable (Omega / v21) pins FFmpeg n6.0.1 (tools/depends/target/ffmpeg/FFMPEG-VERSION). That release still has CVE-2024-7055, an integer overflow in the PNM/PFM decoder that ends in an out-of-bounds heap read.
In libavcodec/pnmdec.c the buffer size is computed in
int. A PFM declaring width=height=13385 overflows it (133851338512 wraps negative), so the size check is bypassed and the decoder reads past the allocation.Built the n6.0.1 tree with -fsanitize=address,undefined and ran:
gives:
PoC is a 68-byte PFM header declaring 13385x13385. Upstream fixed it by widening the multiply to 64-bit; current FFmpeg releases are not affected.
It's reachable through the bundled decoder, so bumping the pinned FFmpeg (or backporting the fix) resolves it.