This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new ba55f425fd avcodec/hevc: Fix integer overflow in WPP entry point range
check
ba55f425fd is described below
commit ba55f425fdd889a7998fce068367e9d3a6c40af4
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Jun 24 03:00:42 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Mon Jul 13 18:36:11 2026 +0000
avcodec/hevc: Fix integer overflow in WPP entry point range check
Fixes: out of array access
Fixes: poc.hevc / make_poc.py
Fixes: 83WY4xnR87vb
Fixes: dad354f38d (avcodec/hevc: Check max ctb addresses for WPP)
Found-by: VulnForge Security Research Team <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/hevc/hevcdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index b4c2d82e8d..1c03289116 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -2920,7 +2920,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const
H2645NAL *nal)
int64_t startheader, cmpt = 0;
int j, res = 0;
- if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets *
sps->ctb_width >= sps->ctb_width * sps->ctb_height) {
+ if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets *
(int64_t)sps->ctb_width >= sps->ctb_width * (int64_t)sps->ctb_height) {
av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d
%d)\n",
s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets,
sps->ctb_width, sps->ctb_height
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]