[FFmpeg-cvslog] [ffmpeg] branch master updated. cdee519d40 avcodec/dxv: Check coded_height, to avoid invalid av_clip()
ffmpeg-git at ffmpeg.org
ffmpeg-git at ffmpeg.org
Tue Aug 19 17:27:34 EEST 2025
The branch, master has been updated
via cdee519d40e61bd65ba5b3fbec00acd50a08d0d9 (commit)
via 0a5046c09996262d0f8b1802a4b34816f72fff06 (commit)
from 7bfaa6d662f1f5eb000b0fae8288b07440464bff (commit)
- Log -----------------------------------------------------------------
commit cdee519d40e61bd65ba5b3fbec00acd50a08d0d9
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Tue Aug 19 03:12:37 2025 +0200
Commit: James Almer <jamrial at gmail.com>
CommitDate: Tue Aug 19 11:25:39 2025 -0300
avcodec/dxv: Check coded_height, to avoid invalid av_clip()
Fixes: assertion failure
Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index de01f1bacf..07eee253e7 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -940,6 +940,8 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame *frame,
}
break;
}
+ if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1)
+ return AVERROR_INVALIDDATA;
texdsp_ctx.slice_count = av_clip(avctx->thread_count, 1,
avctx->coded_height / TEXTURE_BLOCK_H);
commit 0a5046c09996262d0f8b1802a4b34816f72fff06
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Tue Aug 19 03:09:14 2025 +0200
Commit: James Almer <jamrial at gmail.com>
CommitDate: Tue Aug 19 11:25:39 2025 -0300
avcode: Use av_fast_realloc() in ff_lzf_uncompress()
Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Fixes: mixed up realloc() functions
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
Co-Authored-by: James Almer <jamrial at gmail.com>
Signed-off-by: James Almer <jamrial at gmail.com>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index dd82e450b1..de01f1bacf 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -42,7 +42,7 @@ typedef struct DXVContext {
uint8_t *ctex_data; // Compressed chroma texture
unsigned ctex_data_size;
- int64_t tex_size; // Texture size
+ size_t tex_size; // Texture size
int64_t ctex_size; // Chroma texture size
uint8_t *op_data[4]; // Opcodes
@@ -828,7 +828,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
static int dxv_decompress_lzf(AVCodecContext *avctx)
{
DXVContext *ctx = avctx->priv_data;
- return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size);
+ return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size, &ctx->tex_data_size);
}
static int dxv_decompress_raw(AVCodecContext *avctx)
diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c
index 94b369dd59..8f223b1f42 100644
--- a/libavcodec/lzf.c
+++ b/libavcodec/lzf.c
@@ -37,7 +37,22 @@
#define LZF_LITERAL_MAX (1 << 5)
#define LZF_LONG_BACKREF 7 + 2
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
+
+static inline int lzf_realloc(uint8_t **buf, size_t *size, int addition, unsigned *allocated_size)
+{
+ void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition);
+
+ if (!ptr) {
+ av_freep(buf); //probably not needed
+ return AVERROR(ENOMEM);
+ }
+ *buf = ptr;
+ *size += addition;
+
+ return 0;
+}
+
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size, unsigned *allocated_size)
{
int ret = 0;
uint8_t *p = *buf;
@@ -49,8 +64,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
if (s < LZF_LITERAL_MAX) {
s++;
if (s > *size - len) {
- *size += s + *size /2;
- ret = av_reallocp(buf, *size);
+ ret = lzf_realloc(buf, size, s, allocated_size);
if (ret < 0)
return ret;
p = *buf + len;
@@ -75,8 +89,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
return AVERROR_INVALIDDATA;
if (l > *size - len) {
- *size += l + *size / 2;
- ret = av_reallocp(buf, *size);
+ ret = lzf_realloc(buf, size, l, allocated_size);
if (ret < 0)
return ret;
p = *buf + len;
diff --git a/libavcodec/lzf.h b/libavcodec/lzf.h
index 0ad73d9f79..e61ebff727 100644
--- a/libavcodec/lzf.h
+++ b/libavcodec/lzf.h
@@ -24,6 +24,6 @@
#include "bytestream.h"
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size);
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size, unsigned *allocated_size);
#endif /* AVCODEC_LZF_H */
diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c
index 246a3e0174..d99de1810e 100644
--- a/libavcodec/notchlc.c
+++ b/libavcodec/notchlc.c
@@ -40,7 +40,8 @@ typedef struct NotchLCContext {
unsigned uncompressed_size;
uint8_t *lzf_buffer;
- int64_t lzf_size;
+ size_t lzf_size;
+ unsigned lzf_alloc_size;
unsigned texture_size_x;
unsigned texture_size_y;
@@ -490,7 +491,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
return AVERROR_PATCHWELCOME;
if (s->format == 0) {
- ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size);
+ ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size, &s->lzf_alloc_size);
if (ret < 0)
return ret;
-----------------------------------------------------------------------
Summary of changes:
libavcodec/dxv.c | 6 ++++--
libavcodec/lzf.c | 23 ++++++++++++++++++-----
libavcodec/lzf.h | 2 +-
libavcodec/notchlc.c | 5 +++--
4 files changed, 26 insertions(+), 10 deletions(-)
hooks/post-receive
--
More information about the ffmpeg-cvslog
mailing list