From 44864dbbb9b87d13d8f4ec92fb8536be0f9dbbc4 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 3 Aug 2025 14:52:36 +0200
Subject: [PATCH] avcodec/vqavideo; Check bytestream2_get_buffer() reading
 next_codebook_buffer

Fixes: use of uninintilaized memory
Fixes: 423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6235973619351552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vqavideo.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index b81d13ea67..99c86a4610 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -571,8 +571,9 @@ static int vqa_decode_frame_pal8(VqaContext *s, AVFrame *frame)
         }
 
         /* accumulate partial codebook */
-        bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
-                               chunk_size);
+        if (chunk_size != bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
+                               chunk_size))
+            return AVERROR_INVALIDDATA;
         s->next_codebook_buffer_index += chunk_size;
 
         s->partial_countdown--;
@@ -600,8 +601,9 @@ static int vqa_decode_frame_pal8(VqaContext *s, AVFrame *frame)
         }
 
         /* accumulate partial codebook */
-        bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
-                               chunk_size);
+        if (chunk_size != bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
+                               chunk_size))
+            return AVERROR_INVALIDDATA;
         s->next_codebook_buffer_index += chunk_size;
 
         s->partial_countdown--;