From 88b676105dd20ea72b39c0627e1a4b8d6b071f33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Nov 2025 01:53:17 +0100 Subject: [PATCH] avcodec/prores_raw: Check bits in get_value() The code loads 32bit so we can at maximum use 32bit the return type is also changed to uint16_t (was requested in review), no path is known where a return value above 32767 is produced, but that was not exhaustively checked Fixes: runtime error: shift exponent -9 is negative Fixes: 439483046/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_RAW_DEC_fuzzer-6649466540326912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/prores_raw.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c index 69ecec986c..7017480336 100644 --- a/libavcodec/prores_raw.c +++ b/libavcodec/prores_raw.c @@ -59,7 +59,7 @@ static av_cold int decode_init(AVCodecContext *avctx) return 0; } -static int16_t get_value(GetBitContext *gb, int16_t codebook) +static uint16_t get_value(GetBitContext *gb, int16_t codebook) { const int16_t switch_bits = codebook >> 8; const int16_t rice_order = codebook & 0xf; @@ -83,6 +83,8 @@ static int16_t get_value(GetBitContext *gb, int16_t codebook) } bits = exp_order + (q << 1) - switch_bits; + if (bits > 32) + return 0; // we do not return a negative error code so that we dont produce out of range values on errors skip_bits_long(gb, bits); return (b >> (32 - bits)) + ((switch_bits + 1) << rice_order) - @@ -145,7 +147,7 @@ static int decode_comp(AVCodecContext *avctx, TileContext *tile, int16_t dc_add = 0; int16_t dc_codebook; - int16_t ac, rn, ln; + uint16_t ac, rn, ln; int16_t ac_codebook = 49; int16_t rn_codebook = 0; int16_t ln_codebook = 66;