xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/rv60dec: check last_size

Browse Source 
Fixes: signed integer overflow: 1878131215 + 2013265920 cannot be represented in type 'int'
Fixes: 472729732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-4893818005815296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-02-16 01:58:01 +01:00
committed by michaelni
parent c9404f5b9c
commit 360a4025fb
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavcodec/rv60dec.c
+3 -3
View File
@@ -395,14 +395,14 @@ static int read_frame_header(RV60Context *s, GetBitContext *gb, int * width, int
static int read_slice_sizes(RV60Context *s, GetBitContext *gb)
{
int nbits = get_bits(gb, 5) + 1;
int last_size;
int64_t last_size;
for (int i = 0; i < s->cu_height; i++)
s->slice[i].sign = get_bits1(gb);
s->slice[0].size = last_size = get_bits_long(gb, nbits);
if (last_size < 0)
if (last_size < 0 || last_size > INT32_MAX)
return AVERROR_INVALIDDATA;
for (int i = 1; i < s->cu_height; i++) {
@@ -411,7 +411,7 @@ static int read_slice_sizes(RV60Context *s, GetBitContext *gb)
last_size += diff;
else
last_size -= diff;
if (last_size <= 0)
if (last_size <= 0 || last_size > INT32_MAX)
return AVERROR_INVALIDDATA;
s->slice[i].size = last_size;
}