[FFmpeg-cvslog] avcodec/rv60dec: Check ofs for overflows
Michael Niedermayer
git at videolan.org
Fri Jul 4 00:08:05 EEST 2025
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Jun 28 02:21:57 2025 +0200| [ecbe3e73662b765b1ab0147da105186799ac83c7] | committer: Michael Niedermayer
avcodec/rv60dec: Check ofs for overflows
Fixes: signed integer overflow: 30 + 2147483647 cannot be represented in type 'int'
Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-6568264620900352
Reviewed-by: Peter Ross <pross at xvid.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ecbe3e73662b765b1ab0147da105186799ac83c7
---
libavcodec/rv60dec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 6075598861..4a3d9067db 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2347,10 +2347,12 @@ static int rv60_decode_frame(AVCodecContext *avctx, AVFrame * frame,
ofs = get_bits_count(&gb) / 8;
for (int i = 0; i < s->cu_height; i++) {
- if (header_size + ofs >= avpkt->size)
+ if (ofs >= avpkt->size - header_size)
return AVERROR_INVALIDDATA;
s->slice[i].data = avpkt->data + header_size + ofs;
s->slice[i].data_size = FFMIN(s->slice[i].size, avpkt->size - header_size - ofs);
+ if (s->slice[i].size > INT32_MAX - ofs)
+ return AVERROR_INVALIDDATA;
ofs += s->slice[i].size;
}
More information about the ffmpeg-cvslog
mailing list