On Fri, Jun 20, 2025 at 8:40 AM Michael Niedermayer <mich...@niedermayer.cc> wrote:
> The return value is int we can thus not handle 31 or more bits > > Fixes: integer overflow > Fixes: > 418396701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4730994378997760 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/vvc/cabac.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavcodec/vvc/cabac.c b/libavcodec/vvc/cabac.c > index 6847ce59aff..78703cb065e 100644 > --- a/libavcodec/vvc/cabac.c > +++ b/libavcodec/vvc/cabac.c > @@ -937,6 +937,8 @@ static int kth_order_egk_decode(CABACContext *c, int k) > > while (bit) { > bit = get_cabac_bypass(c); > + if (k >= 31) > + return AVERROR_PATCHWELCOME; > Hi Michael, Thank you for the patch. We may need to check the return value from ff_vvc_palette_predictor_run[1], as it also uses kth_order_egk_decode [1]: https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/vvc/ctu.c#L1860 value += bit << k++; > } > > -- > 2.49.0 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
