This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/7.1 in repository ffmpeg.
commit ebeb5b206835f7e9086d6e9620978396ec929a88 Author: Michael Niedermayer <[email protected]> AuthorDate: Sat Jun 6 18:51:04 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Thu Jun 18 20:31:03 2026 +0200 avcodec/rv10, rv34: check init_get_bits8() before RealVideo bit access Found-by: Samarth Kumbla <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 0c662529f66c289dc90b5c9e7b7c56a385ab92d8) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/rv10.c | 3 ++- libavcodec/rv34.c | 15 ++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 753c6c6cb3..839cd32877 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -412,8 +412,9 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf, MpegEncContext *s = &rv->m; int mb_count, mb_pos, left, start_mb_x, active_bits_size, ret; + if ((ret = init_get_bits8(&s->gb, buf, FFMAX(buf_size, buf_size2))) < 0) + return ret; active_bits_size = buf_size * 8; - init_get_bits(&s->gb, buf, FFMAX(buf_size, buf_size2) * 8); if (s->codec_id == AV_CODEC_ID_RV10) mb_count = rv10_decode_picture_header(s); else diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index d94285431e..933236209b 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1428,7 +1428,9 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int int mb_pos, slice_type; int res; - init_get_bits(&r->s.gb, buf, buf_size*8); + res = init_get_bits8(&r->s.gb, buf, buf_size); + if (res < 0) + return res; res = r->parse_slice_header(r, gb, &r->si); if(res < 0){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect or unknown slice header\n"); @@ -1652,8 +1654,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, AVFrame *pict, av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return AVERROR_INVALIDDATA; } - init_get_bits(&s->gb, buf+offset, (buf_size-offset)*8); - if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ + if ((ret = init_get_bits8(&s->gb, buf+offset, buf_size-offset)) < 0) + return ret; + if (r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start) { av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return AVERROR_INVALIDDATA; } @@ -1782,8 +1785,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, AVFrame *pict, av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } - init_get_bits(&s->gb, buf+offset1, (buf_size-offset1)*8); - if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ + ret = init_get_bits8(&s->gb, buf+offset1, buf_size-offset1); + if (ret < 0) + return ret; + if (r->parse_slice_header(r, &r->s.gb, &si) < 0) { size = offset2 - offset; }else r->si.end = si.start; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
