PR #23273 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23273 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23273.patch
Fixes: 472346780/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6711849308717056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From 55942edecbf7d43fe1e4596144f2baf083bf5b78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 29 May 2026 19:51:48 +0200 Subject: [PATCH] avcodec/vvc/ps: reject mismatched slice entry point count Fixes: 472346780/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6711849308717056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/vvc/ps.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c index a591851238..97106892db 100644 --- a/libavcodec/vvc/ps.c +++ b/libavcodec/vvc/ps.c @@ -1439,10 +1439,12 @@ static void sh_partition_constraints(VVCSH *sh, const H266RawSPS *sps, const H26 sh->min_qt_size[CHROMA] = 1 << min_qt_log2_size_y[CHROMA]; } -static void sh_entry_points(VVCSH *sh, const H266RawSPS *sps, const VVCPPS *pps) +static int sh_entry_points(VVCSH *sh, const H266RawSPS *sps, const VVCPPS *pps) { + int j = 0; + if (sps->sps_entry_point_offsets_present_flag) { - for (int i = 1, j = 0; i < sh->num_ctus_in_curr_slice; i++) { + for (int i = 1; i < sh->num_ctus_in_curr_slice; i++) { const int pre_ctb_addr_x = sh->ctb_addr_in_curr_slice[i - 1] % pps->ctb_width; const int pre_ctb_addr_y = sh->ctb_addr_in_curr_slice[i - 1] / pps->ctb_width; const int ctb_addr_x = sh->ctb_addr_in_curr_slice[i] % pps->ctb_width; @@ -1454,6 +1456,10 @@ static void sh_entry_points(VVCSH *sh, const H266RawSPS *sps, const VVCPPS *pps) } } } + if (j != sh->r->num_entry_points) + return AVERROR_INVALIDDATA; + + return 0; } static int sh_derive(VVCSH *sh, const VVCFrameParamSets *fps) @@ -1473,9 +1479,7 @@ static int sh_derive(VVCSH *sh, const VVCFrameParamSets *fps) sh_qp_y(sh, pps, ph); sh_deblock_offsets(sh); sh_partition_constraints(sh, sps, ph); - sh_entry_points(sh, sps, fps->pps); - - return 0; + return sh_entry_points(sh, sps, fps->pps); } int ff_vvc_decode_sh(VVCSH *sh, const VVCFrameParamSets *fps, const CodedBitstreamUnit *unit) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
