PR #23297 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23297 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23297.patch
Fixes: 501794431/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-4792576644546560 Fixes: 501898692/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-4772278394224640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From 145263de2cf6ca651fcb3fe73d54880d132d714d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sun, 31 May 2026 13:01:12 +0200 Subject: [PATCH] avcodec/av1dec: reject tile group with tg_end beyond NumTiles Fixes: 501794431/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-4792576644546560 Fixes: 501898692/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-4772278394224640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/av1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 78edb3c8d4..812ffe6030 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -437,6 +437,9 @@ static int get_tiles_info(AVCodecContext *avctx, const AV1RawTileGroup *tile_gro s->tg_start = tile_group->tg_start; s->tg_end = tile_group->tg_end; + if (tile_group->tg_end >= s->raw_frame_header->tile_cols * s->raw_frame_header->tile_rows) + return AVERROR_INVALIDDATA; + for (tile_num = tile_group->tg_start; tile_num <= tile_group->tg_end; tile_num++) { tile_row = tile_num / s->raw_frame_header->tile_cols; tile_col = tile_num % s->raw_frame_header->tile_cols; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
