[FFmpeg-cvslog] [ffmpeg] branch master updated. 50affd2b09 avcodec/rv60dec: clear pu_info

ffmpeg-git at ffmpeg.org ffmpeg-git at ffmpeg.org
Sat Aug 16 03:25:38 EEST 2025 

The branch, master has been updated
       via  50affd2b09ca7ebf6beb287a087947be887b2417 (commit)
      from  61d00509244d7503b3ad467c719da2662d11b6c7 (commit)


- Log -----------------------------------------------------------------
commit 50affd2b09ca7ebf6beb287a087947be887b2417
Author:     Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Fri Aug 15 19:49:19 2025 +0200
Commit:     michaelni <michael at niedermayer.cc>
CommitDate: Sat Aug 16 00:24:52 2025 +0000

    avcodec/rv60dec: clear pu_info
    
    pu_info is read uninitialized on damaged input and at that point the following codepath is dependant
    on the uninitialized data. In one of these pathes out of array accesses happen.
    None of this is replicatable
    
    Less uninitialized data also should result in more reproducable reports
    
    Fixes: Use of uninitialized memory
    Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904
    
    Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
    Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 4a3d9067db..208fbc68f7 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -308,6 +308,8 @@ static int update_dimensions_clear_info(RV60Context *s, int width, int height)
     if ((ret = av_reallocp_array(&s->blk_info, s->blk_stride * (s->cu_height << 4), sizeof(s->blk_info[0]))) < 0)
         return ret;
 
+    memset(s->pu_info, 0, s->pu_stride * (s->cu_height << 3) * sizeof(s->pu_info[0]));
+
     for (int j = 0; j < s->cu_height << 4; j++)
         for (int i = 0; i < s->cu_width << 4; i++)
             s->blk_info[j*s->blk_stride + i].mv.mvref = MVREF_NONE;

-----------------------------------------------------------------------

Summary of changes:
 libavcodec/rv60dec.c | 2 ++
 1 file changed, 2 insertions(+)


hooks/post-receive
--

More information about the ffmpeg-cvslog mailing list