[FFmpeg-cvslog] [ffmpeg] branch master updated. 50affd2b09 avcodec/rv60dec: clear pu_info

Fri, 15 Aug 2025 17:25:49 -0700 

The branch, master has been updated
       via  50affd2b09ca7ebf6beb287a087947be887b2417 (commit)
      from  61d00509244d7503b3ad467c719da2662d11b6c7 (commit)


- Log -----------------------------------------------------------------
commit 50affd2b09ca7ebf6beb287a087947be887b2417
Author:     Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 15 19:49:19 2025 +0200
Commit:     michaelni <mich...@niedermayer.cc>
CommitDate: Sat Aug 16 00:24:52 2025 +0000

    avcodec/rv60dec: clear pu_info
    
    pu_info is read uninitialized on damaged input and at that point the 
following codepath is dependant
    on the uninitialized data. In one of these pathes out of array accesses 
happen.
    None of this is replicatable
    
    Less uninitialized data also should result in more reproducable reports
    
    Fixes: Use of uninitialized memory
    Fixes: 
418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904
    
    Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
    Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>

diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 4a3d9067db..208fbc68f7 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -308,6 +308,8 @@ static int update_dimensions_clear_info(RV60Context *s, int 
width, int height)
     if ((ret = av_reallocp_array(&s->blk_info, s->blk_stride * (s->cu_height 
<< 4), sizeof(s->blk_info[0]))) < 0)
         return ret;
 
+    memset(s->pu_info, 0, s->pu_stride * (s->cu_height << 3) * 
sizeof(s->pu_info[0]));
+
     for (int j = 0; j < s->cu_height << 4; j++)
         for (int i = 0; i < s->cu_width << 4; i++)
             s->blk_info[j*s->blk_stride + i].mv.mvref = MVREF_NONE;

-----------------------------------------------------------------------

Summary of changes:
 libavcodec/rv60dec.c | 2 ++
 1 file changed, 2 insertions(+)


hooks/post-receive
-- 

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to