wrapper/FFmpeg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

avcodec/rv60dec: Check ofs for overflows

Browse source 
Fixes: signed integer overflow: 30 + 2147483647 cannot be represented in type 'int'
Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-6568264620900352

Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2025-06-28 02:21:57 +02:00
parent e68599f551
commit ecbe3e7366
No known key found for this signature in database
GPG key ID: B18E8928B3948D64
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
libavcodec/rv60dec.c
View file

@ -2347,10 +2347,12 @@ static int rv60_decode_frame(AVCodecContext *avctx, AVFrame * frame,
ofs = get_bits_count(&gb) / 8;
for (int i = 0; i < s->cu_height; i++) {
if (header_size + ofs >= avpkt->size)
if (ofs >= avpkt->size - header_size)
return AVERROR_INVALIDDATA;
s->slice[i].data = avpkt->data + header_size + ofs;
s->slice[i].data_size = FFMIN(s->slice[i].size, avpkt->size - header_size - ofs);
if (s->slice[i].size > INT32_MAX - ofs)
return AVERROR_INVALIDDATA;
ofs += s->slice[i].size;
}