[FFmpeg-cvslog] [ffmpeg] 139/212: avcodec/wmv2dec: More Checks about reading skip bits

[Michael Niedermayer via ffmpeg-cvslog]

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/8.0
in repository ffmpeg.

commit bdaee31e4880dc0fd9cade7164efdebbc19e5529
Author:     Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Thu Mar 12 22:58:18 2026 +0100
Commit:     Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Sun May 3 19:56:53 2026 +0200

    avcodec/wmv2dec: More Checks about reading skip bits
    
    Fixes: out of array read with --disable-safe-bitstream-reader
    Fixes: poc_wmv2.avi
    
    Note, this requires the safe bitstream reader to be turned off by the user 
and the user disregarding the security warning
    
    Change suggested by: Guanni Qu <qgua...@gmail.com>
    Found-by: Guanni Qu <qgua...@gmail.com>
    Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
    (cherry picked from commit f73849887cb9c0d966eb9d27262890be82c2fd10)
    Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/wmv2dec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c
index 512d63b23e..f3782586e3 100644
--- a/libavcodec/wmv2dec.c
+++ b/libavcodec/wmv2dec.c
@@ -131,6 +131,8 @@ static int parse_mb_skip(WMV2DecContext *w)
                     mb_type[mb_y * h->c.mb_stride + mb_x] =
                         MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;
             } else {
+                if (get_bits_left(&h->gb) < h->c.mb_width)
+                    return AVERROR_INVALIDDATA;
                 for (int mb_x = 0; mb_x < h->c.mb_width; mb_x++)
                     mb_type[mb_y * h->c.mb_stride + mb_x] =
                         (get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | MB_TYPE_16x16 
| MB_TYPE_FORWARD_MV;
@@ -146,6 +148,8 @@ static int parse_mb_skip(WMV2DecContext *w)
                     mb_type[mb_y * h->c.mb_stride + mb_x] =
                         MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;
             } else {
+                if (get_bits_left(&h->gb) < h->c.mb_height)
+                    return AVERROR_INVALIDDATA;
                 for (int mb_y = 0; mb_y < h->c.mb_height; mb_y++)
                     mb_type[mb_y * h->c.mb_stride + mb_x] =
                         (get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | MB_TYPE_16x16 
| MB_TYPE_FORWARD_MV;

_______________________________________________
ffmpeg-cvslog mailing list -- ffmpeg-cvslog@ffmpeg.org
To unsubscribe send an email to ffmpeg-cvslog-le...@ffmpeg.org