This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit ad6c823733ee95541bcf1e420e0154d8d34e3d4f Author: Michael Niedermayer <[email protected]> AuthorDate: Tue Dec 23 16:22:23 2025 +0100 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:54:58 2026 +0200 avcodec/dca_xll: Check get_rice_array() Fixes: use of uninitialized memory Fixes: 451655450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_DEC_fuzzer-6527248623796224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 11a5afea31be213f580f7fc9e05c9251472d1c85) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/dca_xll.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/dca_xll.c b/libavcodec/dca_xll.c index d265cab8df..56e89cc1d2 100644 --- a/libavcodec/dca_xll.c +++ b/libavcodec/dca_xll.c @@ -60,12 +60,16 @@ static void get_linear_array(GetBitContext *gb, int32_t *array, int size, int n) array[i] = get_linear(gb, n); } -static void get_rice_array(GetBitContext *gb, int32_t *array, int size, int k) +static int get_rice_array(GetBitContext *gb, int32_t *array, int size, int k) { int i; - for (i = 0; i < size; i++) + for (i = 0; i < size && get_bits_left(gb) > k; i++) array[i] = get_rice(gb, k); + + if (i < size) + return AVERROR_INVALIDDATA; + return 0; } static int parse_dmix_coeffs(DCAXllDecoder *s, DCAXllChSet *c) @@ -525,8 +529,10 @@ static int chs_parse_band_data(DCAXllDecoder *s, DCAXllChSet *c, int band, int s } else { // Rice codes // Unpack all residuals of part A of segment 0 - get_rice_array(&s->gb, part_a, c->nsamples_part_a[k], - c->bitalloc_part_a[k]); + int ret = get_rice_array(&s->gb, part_a, c->nsamples_part_a[k], + c->bitalloc_part_a[k]); + if (ret < 0) + return ret; if (c->bitalloc_hybrid_linear[k]) { // Hybrid Rice codes @@ -556,7 +562,9 @@ static int chs_parse_band_data(DCAXllDecoder *s, DCAXllChSet *c, int band, int s } else { // Rice codes // Unpack all residuals of part B of segment 0 and others - get_rice_array(&s->gb, part_b, nsamples_part_b, c->bitalloc_part_b[k]); + ret = get_rice_array(&s->gb, part_b, nsamples_part_b, c->bitalloc_part_b[k]); + if (ret < 0) + return ret; } } } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
