[FFmpeg-cvslog] avcodec/rv60dec: Check ofs for overflows

Fri Jul 4 00:08:05 EEST 2025

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Jun 28 02:21:57 2025 +0200| [ecbe3e73662b765b1ab0147da105186799ac83c7] | committer: Michael Niedermayer

avcodec/rv60dec: Check ofs for overflows

Fixes: signed integer overflow: 30 + 2147483647 cannot be represented in type 'int'
Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-6568264620900352

Reviewed-by: Peter Ross <pross at xvid.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ecbe3e73662b765b1ab0147da105186799ac83c7
---

 libavcodec/rv60dec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 6075598861..4a3d9067db 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2347,10 +2347,12 @@ static int rv60_decode_frame(AVCodecContext *avctx, AVFrame * frame,
     ofs = get_bits_count(&gb) / 8;
 
     for (int i = 0; i < s->cu_height; i++) {
-        if (header_size + ofs >= avpkt->size)
+        if (ofs >= avpkt->size - header_size)
             return AVERROR_INVALIDDATA;
         s->slice[i].data = avpkt->data + header_size + ofs;
         s->slice[i].data_size = FFMIN(s->slice[i].size, avpkt->size - header_size - ofs);
+        if (s->slice[i].size > INT32_MAX - ofs)
+            return AVERROR_INVALIDDATA;
         ofs += s->slice[i].size;
     }
 

