virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-11-23 21:54:53 +02:00
Code Issues Releases Activity

avcodec/rv60dec: add upper bound check for qp

Browse Source 
The quantization parameter (qp) can exceed 63 when the base value
from frame header (0-63) is combined with the offset from slice data
(up to +2), resulting in qp=65. This causes out-of-bounds access to
the rv60_qp_to_idx[64] array in decode_cbp8(), decode_cbp16(), and
get_c4x4_set().

Fixes: Out-of-bounds read
Signed-off-by: oblivionsage <cookieandcream560@gmail.com>

No testsample is available

This is related to 61cbcaf93f and clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5160167345291264
which fixed rv60_qp_to_idx[qp + 32] out of array access
These 2 checks are not redundant and neither covers the cases of the other

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
oblivionsage
2025-11-07 18:08:14 +01:00
committed by Michael Niedermayer
parent 162f75b5e6
commit 8abeb879df
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libavcodec/rv60dec.c
View File

@@ -2265,7 +2265,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata, int cu_y, int thread
ff_thread_progress_await(&s->progress[cu_y - 1], cu_x + 2); ff_thread_progress_await(&s->progress[cu_y - 1], cu_x + 2);
qp = s->qp + read_qp_offset(&gb, s->qp_off_type); qp = s->qp + read_qp_offset(&gb, s->qp_off_type);
if (qp < 0) { if (qp < 0 || qp >= 64) {
ret = AVERROR_INVALIDDATA; ret = AVERROR_INVALIDDATA;
break; break;
} }