This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new ba55f425fd avcodec/hevc: Fix integer overflow in WPP entry point range 
check
ba55f425fd is described below

commit ba55f425fdd889a7998fce068367e9d3a6c40af4
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Wed Jun 24 03:00:42 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Mon Jul 13 18:36:11 2026 +0000

    avcodec/hevc: Fix integer overflow in WPP entry point range check
    
    Fixes: out of array access
    Fixes: poc.hevc / make_poc.py
    Fixes: 83WY4xnR87vb
    Fixes: dad354f38d (avcodec/hevc: Check max ctb addresses for WPP)
    Found-by: VulnForge Security Research Team <[email protected]>
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/hevc/hevcdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index b4c2d82e8d..1c03289116 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -2920,7 +2920,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
H2645NAL *nal)
     int64_t startheader, cmpt = 0;
     int j, res = 0;
 
-    if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * 
sps->ctb_width >= sps->ctb_width * sps->ctb_height) {
+    if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * 
(int64_t)sps->ctb_width >= sps->ctb_width * (int64_t)sps->ctb_height) {
         av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d 
%d)\n",
             s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets,
             sps->ctb_width, sps->ctb_height

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to