[FFmpeg-cvslog] apv_decode: Discard invalid run codes earlier
Mark Thompson
git at videolan.org
Tue May 13 23:01:15 EEST 2025
ffmpeg | branch: master | Mark Thompson <sw at jkqxz.net> | Tue May 13 20:50:38 2025 +0100| [527d5eaec70291d2845aca936dd64090fc226859] | committer: Mark Thompson
apv_decode: Discard invalid run codes earlier
Caught by ubsan - would cause an invalid shift in constructing the
run value.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=527d5eaec70291d2845aca936dd64090fc226859
---
libavcodec/apv_entropy.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/libavcodec/apv_entropy.c b/libavcodec/apv_entropy.c
index 49d5505b6b..1cab88d547 100644
--- a/libavcodec/apv_entropy.c
+++ b/libavcodec/apv_entropy.c
@@ -278,6 +278,13 @@ int ff_apv_entropy_decode_block(int16_t *restrict coeff,
bits = next_bits & 0xffff;
// Determine code length.
leading_zeroes = 15 - av_log2(bits);
+ if (leading_zeroes >= 6) {
+ // 6 zeroes implies run > 64, which is always invalid.
+ av_log(state->log_ctx, AV_LOG_ERROR,
+ "Out-of-range run value: %d leading zeroes.\n",
+ leading_zeroes);
+ return AVERROR_INVALIDDATA;
+ }
// Extract the low bits.
low_bit_count = leading_zeroes;
low_bit_shift = 16 - (1 + 2 * leading_zeroes);
@@ -443,6 +450,13 @@ int ff_apv_entropy_decode_block(int16_t *restrict coeff,
bits = next_bits & 0xffff;
// Determine code length.
leading_zeroes = 15 - av_log2(bits);
+ if (leading_zeroes >= 6) {
+ // 6 zeroes implies run > 64, which is always invalid.
+ av_log(state->log_ctx, AV_LOG_ERROR,
+ "Out-of-range run value: %d leading zeroes.\n",
+ leading_zeroes);
+ return AVERROR_INVALIDDATA;
+ }
// Extract the low bits.
low_bit_count = leading_zeroes + k_run;
low_bit_shift = 16 - (1 + 2 * leading_zeroes + k_run);
More information about the ffmpeg-cvslog
mailing list