From 8efc0192500f9840181fd56347db81194a0ae43d Mon Sep 17 00:00:00 2001 From: tomaioo Date: Wed, 27 May 2026 05:08:03 -0700 Subject: [PATCH] fix(torchcodec): potential buffer overflow in aviofilelikecontext:: In AVIOFileLikeContext.cpp, the read function uses `std::memcpy(buf, bytesView.data(), numBytesRead)` where `numBytesRead` comes from Python file-like objects. While there are checks, the validation `numBytesRead <= request` only ensures it's less than the request, but doesn't validate against the actual buffer size `buf_size` passed by FFmpeg. The loop increments `buf` and `totalNumRead`, but if Python returns more bytes than expected in edge cases, this could cause issues. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/torchcodec/_core/AVIOFileLikeContext.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/torchcodec/_core/AVIOFileLikeContext.cpp b/src/torchcodec/_core/AVIOFileLikeContext.cpp index 1331abd5b..2b60a1843 100644 --- a/src/torchcodec/_core/AVIOFileLikeContext.cpp +++ b/src/torchcodec/_core/AVIOFileLikeContext.cpp @@ -68,9 +68,9 @@ int AVIOFileLikeContext::read(void* opaque, uint8_t* buf, int buf_size) { numBytesRead, " bytes. The given object does not conform to read protocol of file object."); - std::memcpy(buf, bytesView.data(), numBytesRead); - buf += numBytesRead; - totalNumRead += numBytesRead; + std::memcpy(buf, bytesView.data(), numBytesToRead); + buf += numBytesToRead; + totalNumRead += numBytesToRead; } return totalNumRead == 0 ? AVERROR_EOF : totalNumRead;