[FFmpeg-devel] [PATCH 7/8] avcodec/vvc/cabac: Check k in kth_order_egk_decode()
Nuo Mi
nuomi2021 at gmail.com
Sun Jun 22 05:29:51 EEST 2025
On Fri, Jun 20, 2025 at 8:40 AM Michael Niedermayer <michael at niedermayer.cc>
wrote:
> The return value is int we can thus not handle 31 or more bits
>
> Fixes: integer overflow
> Fixes:
> 418396701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4730994378997760
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/vvc/cabac.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavcodec/vvc/cabac.c b/libavcodec/vvc/cabac.c
> index 6847ce59aff..78703cb065e 100644
> --- a/libavcodec/vvc/cabac.c
> +++ b/libavcodec/vvc/cabac.c
> @@ -937,6 +937,8 @@ static int kth_order_egk_decode(CABACContext *c, int k)
>
> while (bit) {
> bit = get_cabac_bypass(c);
> + if (k >= 31)
> + return AVERROR_PATCHWELCOME;
>
Hi Michael,
Thank you for the patch.
We may need to check the return value from ff_vvc_palette_predictor_run[1],
as it also uses kth_order_egk_decode
[1]: https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/vvc/ctu.c#L1860
value += bit << k++;
> }
>
> --
> 2.49.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>
More information about the ffmpeg-devel
mailing list