"When aps_params_type is equal to ALF_APS or SCALING_APS, the value of aps_adaptation_parameter_set_id shall be in the range of 0 to 7, inclusive. When aps_params_type is equal to LMCS_APS, the value of aps_adaptation_parameter_set_id shall be in the range of 0 to 3, inclusive."
Fixes: out of array accesses Fixes: 65932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4563412340244480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/vvc/vvc_ps.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/vvc/vvc_ps.c b/libavcodec/vvc/vvc_ps.c index c2afc0ac932..41589c138d1 100644 --- a/libavcodec/vvc/vvc_ps.c +++ b/libavcodec/vvc/vvc_ps.c @@ -991,12 +991,19 @@ int ff_vvc_decode_aps(VVCParamSets *ps, const CodedBitstreamUnit *unit) switch (aps->aps_params_type) { case APS_ALF: + if (aps->aps_adaptation_parameter_set_id >= FF_ARRAY_ELEMS(ps->alf_list)) + return AVERROR_INVALIDDATA; + ret = aps_decode_alf(&ps->alf_list[aps->aps_adaptation_parameter_set_id], aps); break; case APS_LMCS: + if (aps->aps_adaptation_parameter_set_id >= FF_ARRAY_ELEMS(ps->lmcs_list)) + return AVERROR_INVALIDDATA; ff_refstruct_replace(&ps->lmcs_list[aps->aps_adaptation_parameter_set_id], aps); break; case APS_SCALING: + if (aps->aps_adaptation_parameter_set_id >= FF_ARRAY_ELEMS(ps->scaling_list)) + return AVERROR_INVALIDDATA; ret = aps_decode_scaling(&ps->scaling_list[aps->aps_adaptation_parameter_set_id], aps); break; } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
