Skip to content

Security: Potential Buffer Overflow in AVIOFileLikeContext::read#1451

Open
tomaioo wants to merge 1 commit into
meta-pytorch:mainfrom
tomaioo:fix/security/potential-buffer-overflow-in-aviofilelik
Open

Security: Potential Buffer Overflow in AVIOFileLikeContext::read#1451
tomaioo wants to merge 1 commit into
meta-pytorch:mainfrom
tomaioo:fix/security/potential-buffer-overflow-in-aviofilelik

Conversation

@tomaioo

@tomaioo tomaioo commented May 27, 2026

Copy link
Copy Markdown

Summary

Security: Potential Buffer Overflow in AVIOFileLikeContext::read

Problem

Severity: Medium | File: src/torchcodec/_core/AVIOFileLikeContext.cpp:L39

In AVIOFileLikeContext.cpp, the read function uses std::memcpy(buf, bytesView.data(), numBytesRead) where numBytesRead comes from Python file-like objects. While there are checks, the validation numBytesRead <= request only ensures it's less than the request, but doesn't validate against the actual buffer size buf_size passed by FFmpeg. The loop increments buf and totalNumRead, but if Python returns more bytes than expected in edge cases, this could cause issues.

Solution

Add explicit bounds checking to ensure numBytesRead never exceeds buf_size - totalNumRead before the memcpy. Consider using std::min to clamp the value.

Changes

  • src/torchcodec/_core/AVIOFileLikeContext.cpp (modified)

@tomaioo
fix(torchcodec): potential buffer overflow in aviofilelikecontext::
8efc019 
In AVIOFileLikeContext.cpp, the read function uses `std::memcpy(buf, bytesView.data(), numBytesRead)` where `numBytesRead` comes from Python file-like objects. While there are checks, the validation `numBytesRead <= request` only ensures it's less than the request, but doesn't validate against the actual buffer size `buf_size` passed by FFmpeg. The loop increments `buf` and `totalNumRead`, but if Python returns more bytes than expected in edge cases, this could cause issues.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@pytorch-bot

pytorch-bot Bot commented May 27, 2026

Copy link
Copy Markdown

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/meta-pytorch/torchcodec/1451

Note: Links to docs will display an error until the docs builds have been completed.

❗ 1 Active SEVs

There are 1 currently active SEVs. If your PR is affected, please view them below:

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@meta-cla

meta-cla Bot commented May 27, 2026

Copy link
Copy Markdown

Hi @tomaioo!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tomaioo