virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-10-30 23:18:11 +02:00
Code Issues Releases Activity

avcodec/ffv1enc_template: Fix remaining space check

Browse Source 
Fixes: Assertion sc->slice_coding_mode == 0 failed at libavcodec/ffv1enc.c:1667
Fixes: 408838118/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-6493138204295168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2025-05-14 00:15:41 +02:00
parent 27c5e4b39a
commit 67040773dc
1 changed files with 18 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
libavcodec/ffv1enc_template.c
View File

@@ -38,6 +38,24 @@ RENAME(encode_line)(FFV1Context *f, FFV1SliceContext *sc,
if (bits == 0)
return 0;
if (sc->slice_coding_mode == 1) {
av_assert0(ac != AC_GOLOMB_RICE);
if (c->bytestream_end - c->bytestream < (w * bits + 7LL)>>3) {
av_log(logctx, AV_LOG_ERROR, "encoded Range Coder frame too large\n");
return AVERROR_INVALIDDATA;
}
for (x = 0; x < w; x++) {
int i;
int v = sample[0][x];
for (i = bits-1; i>=0; i--) {
uint8_t state = 128;
put_rac(c, &state, (v>>i) & 1);
}
}
return 0;
}
if (ac != AC_GOLOMB_RICE) {
if (c->bytestream_end - c->bytestream < w * 35) {
av_log(logctx, AV_LOG_ERROR, "encoded Range Coder frame too large\n");
@@ -50,18 +68,6 @@ RENAME(encode_line)(FFV1Context *f, FFV1SliceContext *sc,
}
}
if (sc->slice_coding_mode == 1) {
for (x = 0; x < w; x++) {
int i;
int v = sample[0][x];
for (i = bits-1; i>=0; i--) {
uint8_t state = 128;
put_rac(c, &state, (v>>i) & 1);
}
}
return 0;
}
for (x = 0; x < w; x++) {
int diff, context;