This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit f8501d3399c748f297ed7ed323f0b1f0ba194037 Author: Michael Niedermayer <[email protected]> AuthorDate: Tue Feb 10 18:42:07 2026 +0100 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:11 2026 +0200 avcodec/svq1dec: Check input space for minimum We reject inputs that are significantly smaller than the smallest frame. This check raises the minimum input needed before time consuming computations are performed it thus improves the computation per input byte and reduces the potential DoS impact Fixes: Timeout Fixes: 472769364/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ1_DEC_fuzzer-5519737145851904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit d538a71ad52404662d986ec9921b6bc53d353e7f) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/svq1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index d6b6bec72d..da79985181 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -680,6 +680,11 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, avctx->skip_frame >= AVDISCARD_ALL) return buf_size; + // Reject obviously too-small packets early: require at least one remaining bit per aligned luma macroblock. + // FFALIGN(s->width, 16) * FFALIGN(s->height, 16) / 256 represent the number of Macroblocks + if (get_bits_left(&s->gb) < FFALIGN(s->width, 16) * FFALIGN(s->height, 16) / 256) + return AVERROR_INVALIDDATA; + result = ff_get_buffer(avctx, cur, s->nonref ? 0 : AV_GET_BUFFER_FLAG_REF); if (result < 0) return result; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
