The branch, master has been updated
via 50affd2b09ca7ebf6beb287a087947be887b2417 (commit)
from 61d00509244d7503b3ad467c719da2662d11b6c7 (commit)
- Log -----------------------------------------------------------------
commit 50affd2b09ca7ebf6beb287a087947be887b2417
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Aug 15 19:49:19 2025 +0200
Commit: michaelni <[email protected]>
CommitDate: Sat Aug 16 00:24:52 2025 +0000
avcodec/rv60dec: clear pu_info
pu_info is read uninitialized on damaged input and at that point the
following codepath is dependant
on the uninitialized data. In one of these pathes out of array accesses
happen.
None of this is replicatable
Less uninitialized data also should result in more reproducable reports
Fixes: Use of uninitialized memory
Fixes:
418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 4a3d9067db..208fbc68f7 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -308,6 +308,8 @@ static int update_dimensions_clear_info(RV60Context *s, int
width, int height)
if ((ret = av_reallocp_array(&s->blk_info, s->blk_stride * (s->cu_height
<< 4), sizeof(s->blk_info[0]))) < 0)
return ret;
+ memset(s->pu_info, 0, s->pu_stride * (s->cu_height << 3) *
sizeof(s->pu_info[0]));
+
for (int j = 0; j < s->cu_height << 4; j++)
for (int i = 0; i < s->cu_width << 4; i++)
s->blk_info[j*s->blk_stride + i].mv.mvref = MVREF_NONE;
-----------------------------------------------------------------------
Summary of changes:
libavcodec/rv60dec.c | 2 ++
1 file changed, 2 insertions(+)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
