[FFmpeg-devel] [PATCH] avcodec/rv60dec: Check ofs for overflows
Michael Niedermayer
michael at niedermayer.cc
Sat Jun 28 03:21:57 EEST 2025
Fixes: signed integer overflow: 30 + 2147483647 cannot be represented in type 'int'
Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-6568264620900352
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/rv60dec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 6075598861d..4a3d9067db6 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2347,10 +2347,12 @@ static int rv60_decode_frame(AVCodecContext *avctx, AVFrame * frame,
ofs = get_bits_count(&gb) / 8;
for (int i = 0; i < s->cu_height; i++) {
- if (header_size + ofs >= avpkt->size)
+ if (ofs >= avpkt->size - header_size)
return AVERROR_INVALIDDATA;
s->slice[i].data = avpkt->data + header_size + ofs;
s->slice[i].data_size = FFMIN(s->slice[i].size, avpkt->size - header_size - ofs);
+ if (s->slice[i].size > INT32_MAX - ofs)
+ return AVERROR_INVALIDDATA;
ofs += s->slice[i].size;
}
--
2.49.0
More information about the ffmpeg-devel
mailing list