[FFmpeg-devel] [PR] avcodec/vc1dec: check return values of all init_get_bits() calls (PR #21466)

James Almer via ffmpeg-devel Wed, 14 Jan 2026 05:59:35 -0800

PR #21466 opened by James Almer (jamrial)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21466
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21466.patch


And replace them with init_get_bits8, to prevent integer overflows on huge 
values.

Fixes issue #21463.


>From 8883736fa0caa5df5745c4f54f9178a173f659a5 Mon Sep 17 00:00:00 2001
From: James Almer <[email protected]>
Date: Wed, 14 Jan 2026 10:48:42 -0300
Subject: [PATCH] avcodec/vc1dec: check return values of all init_get_bits()
 calls

And replace them with init_get_bits8, to prevent integer overflows on huge
values.

Fixes issue #21463.

Signed-off-by: James Almer <[email protected]>
---
 libavcodec/vc1dec.c | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 72bc810ce7..6bf3a7aa9b 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -683,7 +683,11 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
             if (size <= 0)
                 continue;
             buf2_size = v->vc1dsp.vc1_unescape_buffer(start + 4, size, buf2);
-            init_get_bits(&gb, buf2, buf2_size * 8);
+            ret = init_get_bits8(&gb, buf2, buf2_size);
+            if (ret < 0) {
+                av_free(buf2);
+                return ret;
+            }
             switch (AV_RB32(start)) {
             case VC1_CODE_SEQHDR:
                 if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0) {
@@ -888,8 +892,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame 
*pict,
                     }
                     buf_size3 = v->vc1dsp.vc1_unescape_buffer(start + 4, size,
                                                               
slices[n_slices].buf);
-                    init_get_bits(&slices[n_slices].gb, slices[n_slices].buf,
-                                  buf_size3 << 3);
+                    ret = init_get_bits8(&slices[n_slices].gb, 
slices[n_slices].buf, buf_size3);
+                    if (ret < 0) {
+                        ret = AVERROR(ENOMEM);
+                        goto err;
+                    }
                     slices[n_slices].mby_start = avctx->coded_height + 31 >> 5;
                     slices[n_slices].rawbuf = start;
                     slices[n_slices].raw_size = size + 4;
@@ -899,7 +906,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame 
*pict,
                 }
                 case VC1_CODE_ENTRYPOINT: /* it should be before frame data */
                     buf_size2 = v->vc1dsp.vc1_unescape_buffer(start + 4, size, 
buf2);
-                    init_get_bits(&v->gb, buf2, buf_size2 * 8);
+                    ret = init_get_bits8(&v->gb, buf2, buf_size2);
+                    if (ret < 0) {
+                        ret = AVERROR(ENOMEM);
+                        goto err;
+                    }
                     ff_vc1_decode_entry_point(avctx, v, &v->gb);
                     break;
                 case VC1_CODE_SLICE: {
@@ -918,8 +929,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame 
*pict,
                     }
                     buf_size3 = v->vc1dsp.vc1_unescape_buffer(start + 4, size,
                                                               
slices[n_slices].buf);
-                    init_get_bits(&slices[n_slices].gb, slices[n_slices].buf,
-                                  buf_size3 << 3);
+                    ret = init_get_bits8(&slices[n_slices].gb, 
slices[n_slices].buf, buf_size3);
+                    if (ret < 0) {
+                        ret = AVERROR(ENOMEM);
+                        goto err;
+                    }
                     slices[n_slices].mby_start = 
get_bits(&slices[n_slices].gb, 9);
                     slices[n_slices].rawbuf = start;
                     slices[n_slices].raw_size = size + 4;
@@ -952,8 +966,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame 
*pict,
                     goto err;
                 }
                 buf_size3 = v->vc1dsp.vc1_unescape_buffer(divider + 4, buf + 
buf_size - divider - 4, slices[n_slices].buf);
-                init_get_bits(&slices[n_slices].gb, slices[n_slices].buf,
-                              buf_size3 << 3);
+                ret = init_get_bits8(&slices[n_slices].gb, 
slices[n_slices].buf, buf_size3);
+                if (ret < 0) {
+                    ret = AVERROR(ENOMEM);
+                    goto err;
+                }
                 slices[n_slices].mby_start = s->mb_height + 1 >> 1;
                 slices[n_slices].rawbuf = divider;
                 slices[n_slices].raw_size = buf + buf_size - divider;
@@ -964,7 +981,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame 
*pict,
         } else {
             buf_size2 = v->vc1dsp.vc1_unescape_buffer(buf, buf_size, buf2);
         }
-        init_get_bits(&v->gb, buf2, buf_size2*8);
+        ret = init_get_bits8(&v->gb, buf2, buf_size2);
+        if (ret < 0)
+            return ret;
     } else{
         ret = init_get_bits8(&v->gb, buf, buf_size);
         if (ret < 0)
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PR] avcodec/vc1dec: check return values of all init_get_bits() calls (PR #21466)

Reply via email to