virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-11-23 21:54:53 +02:00
Code Issues Releases Activity

avcodec/prores_raw: Check bits in get_value()

Browse Source 
The code loads 32bit so we can at maximum use 32bit

the return type is also changed to uint16_t (was requested in review),

no path is known where a return value above 32767 is produced, but that was not exhaustively checked

Fixes: runtime error: shift exponent -9 is negative
Fixes: 439483046/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_RAW_DEC_fuzzer-6649466540326912

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2025-11-07 01:53:17 +01:00
parent 9ccc33d84d
commit 88b676105d
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/prores_raw.c
View File

@@ -59,7 +59,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
return 0;
}
static int16_t get_value(GetBitContext *gb, int16_t codebook)
static uint16_t get_value(GetBitContext *gb, int16_t codebook)
{
const int16_t switch_bits = codebook >> 8;
const int16_t rice_order = codebook & 0xf;
@@ -83,6 +83,8 @@ static int16_t get_value(GetBitContext *gb, int16_t codebook)
}
bits = exp_order + (q << 1) - switch_bits;
if (bits > 32)
return 0; // we do not return a negative error code so that we dont produce out of range values on errors
skip_bits_long(gb, bits);
return (b >> (32 - bits)) +
((switch_bits + 1) << rice_order) -
@@ -145,7 +147,7 @@ static int decode_comp(AVCodecContext *avctx, TileContext *tile,
int16_t dc_add = 0;
int16_t dc_codebook;
int16_t ac, rn, ln;
uint16_t ac, rn, ln;
int16_t ac_codebook = 49;
int16_t rn_codebook = 0;
int16_t ln_codebook = 66;