[FFmpeg-cvslog] avcodec/vqavideo; Check bytestream2_get_buffer() reading next_codebook_buffer

Michael Niedermayer Mon, 04 Aug 2025 09:38:39 -0700

ffmpeg | branch: release/6.1 | Michael Niedermayer <mich...@niedermayer.cc> | 
Sun Aug  3 14:52:36 2025 +0200| [95f209e7d976fd9b5f65f161e2517cd612f517f4] | 
committer: Michael Niedermayer


avcodec/vqavideo; Check bytestream2_get_buffer() reading next_codebook_buffer

Fixes: use of uninintilaized memory
Fixes: 
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6235973619351552

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 44864dbbb9b87d13d8f4ec92fb8536be0f9dbbc4)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95f209e7d976fd9b5f65f161e2517cd612f517f4
---

 libavcodec/vqavideo.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 2977cf9a52..ce4c589211 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -570,8 +570,9 @@ static int vqa_decode_frame_pal8(VqaContext *s, AVFrame 
*frame)
         }
 
         /* accumulate partial codebook */
-        bytestream2_get_buffer(&s->gb, 
&s->next_codebook_buffer[s->next_codebook_buffer_index],
-                               chunk_size);
+        if (chunk_size != bytestream2_get_buffer(&s->gb, 
&s->next_codebook_buffer[s->next_codebook_buffer_index],
+                               chunk_size))
+            return AVERROR_INVALIDDATA;
         s->next_codebook_buffer_index += chunk_size;
 
         s->partial_countdown--;
@@ -599,8 +600,9 @@ static int vqa_decode_frame_pal8(VqaContext *s, AVFrame 
*frame)
         }
 
         /* accumulate partial codebook */
-        bytestream2_get_buffer(&s->gb, 
&s->next_codebook_buffer[s->next_codebook_buffer_index],
-                               chunk_size);
+        if (chunk_size != bytestream2_get_buffer(&s->gb, 
&s->next_codebook_buffer[s->next_codebook_buffer_index],
+                               chunk_size))
+            return AVERROR_INVALIDDATA;
         s->next_codebook_buffer_index += chunk_size;
 
         s->partial_countdown--;

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/vqavideo; Check bytestream2_get_buffer() reading next_codebook_buffer

Reply via email to