From c7a4ef1c2d235e73be849028c145949eac6ae9ef Mon Sep 17 00:00:00 2001
From: oblivionsage <cookieandcream560@gmail.com>
Date: Fri, 7 Nov 2025 18:08:14 +0100
Subject: [PATCH] avcodec/rv60dec: add upper bound check for qp

The quantization parameter (qp) can exceed 63 when the base value
from frame header (0-63) is combined with the offset from slice data
(up to +2), resulting in qp=65. This causes out-of-bounds access to
the rv60_qp_to_idx[64] array in decode_cbp8(), decode_cbp16(), and
get_c4x4_set().

Previous fix in commit 61cbcaf93f3b2e10124f4c63ce7cd8dad6505fb2 added validation only for intra
frames at a later stage. This patch adds validation at the source
in decode_slice() to prevent invalid qp values for all frame types.

Fixes: Out-of-bounds read reported by OSS-Fuzz (clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5160167345291264)
Signed-off-by: oblivionsage <cookieandcream560@gmail.com>
---
 libavcodec/rv60dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 33728e33a0..b7b4f46512 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2265,7 +2265,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata, int cu_y, int thread
             ff_thread_progress_await(&s->progress[cu_y - 1], cu_x + 2);
 
         qp = s->qp + read_qp_offset(&gb, s->qp_off_type);
-        if (qp < 0) {
+        if (qp < 0 || qp >= 64) {
             ret = AVERROR_INVALIDDATA;
             break;
         }
-- 
2.50.1