virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-04 22:03:09 +02:00
Code Issues Releases Activity

avcodec/rv60dec: Check ofs for overflows

Browse Source 
Fixes: signed integer overflow: 30 + 2147483647 cannot be represented in type 'int'
Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-6568264620900352

Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2025-06-28 02:21:57 +02:00
parent e68599f551
commit ecbe3e7366
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/rv60dec.c
View File

@ -2347,10 +2347,12 @@ static int rv60_decode_frame(AVCodecContext *avctx, AVFrame * frame,
ofs = get_bits_count(&gb) / 8; ofs = get_bits_count(&gb) / 8;
for (int i = 0; i < s->cu_height; i++) { for (int i = 0; i < s->cu_height; i++) {
if (header_size + ofs >= avpkt->size) if (ofs >= avpkt->size - header_size)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
s->slice[i].data = avpkt->data + header_size + ofs; s->slice[i].data = avpkt->data + header_size + ofs;
s->slice[i].data_size = FFMIN(s->slice[i].size, avpkt->size - header_size - ofs); s->slice[i].data_size = FFMIN(s->slice[i].size, avpkt->size - header_size - ofs);
if (s->slice[i].size > INT32_MAX - ofs)
return AVERROR_INVALIDDATA;
ofs += s->slice[i].size; ofs += s->slice[i].size;
} }