[FFmpeg-devel] [PATCH 6/8] avcodec/vvc/ctu: Check palette_escape_val
Nuo Mi
nuomi2021 at gmail.com
Mon Jun 23 05:52:50 EEST 2025
On Sun, Jun 22, 2025 at 2:41 PM Andreas Rheinhardt <
andreas.rheinhardt at outlook.com> wrote:
> Nuo Mi:
> > On Fri, Jun 20, 2025 at 8:40 AM Michael Niedermayer <
> michael at niedermayer.cc>
> > wrote:
> >
> >> Fixes: integer overflow
> >> Fixes:
> >>
> 418314174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4871731867353088
> >>
> >> Found-by: continuous fuzzing process
> >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >> Signed-off-by
> >> <
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by
> >:
> >> Michael Niedermayer <michael at niedermayer.cc>
> >> ---
> >> libavcodec/vvc/ctu.c | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
> >> index ba4c89b1d1b..7fa2b496389 100644
> >> --- a/libavcodec/vvc/ctu.c
> >> +++ b/libavcodec/vvc/ctu.c
> >> @@ -2053,6 +2053,8 @@ static int palette_subblock_data(VVCLocalContext
> *lc,
> >> const int v = PALETTE_INDEX(xc, yc);
> >> if (v == esc) {
> >> const int coeff = ff_vvc_palette_escape_val(lc);
> >>
> > A check for < 0 is needed.
>
> The check below is performed as unsigned comparison. If coeff were < 0,
> then (unsigned)coeff is > INT_MAX and the check below triggers.
>
Ah, smart, but not so readable
>
> >
> >> + if (coeff >= (1U << sps->bit_depth))
> >> + return AVERROR_INVALIDDATA;
> >
> > const int pixel = av_clip_intp2(RSHIFT(coeff *
> scale,
> >> 6), sps->bit_depth);
> >> PALETTE_SET_PIXEL(xc, yc, pixel);
> >> } else {
> >> --
> >> 2.49.0
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>
More information about the ffmpeg-devel
mailing list