PR #21571 opened by frankplow URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21571 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21571.patch
"lavc/vvc: Fix unchecked error codes from set_qp_y" should be backported to 8.0 only. "lavc/vvc: Fix unchecked error codes from add_reconstructed_area" should be backported to 8.0 and 7.1. >From 3384026e1340a7da707ec5d049f2c6004d452bc2 Mon Sep 17 00:00:00 2001 From: Frank Plowman <[email protected]> Date: Sat, 24 Jan 2026 13:21:00 +0000 Subject: [PATCH 1/2] lavc/vvc: Fix unchecked error codes from set_qp_y Fixes: clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4957602162475008 --- libavcodec/vvc/ctu.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c index 18cbe0fe0f..e50ac592bd 100644 --- a/libavcodec/vvc/ctu.c +++ b/libavcodec/vvc/ctu.c @@ -1157,8 +1157,11 @@ static int skipped_transform_tree_unit(VVCLocalContext *lc) const CodingUnit *cu = lc->cu; int ret; - if (cu->tree_type != DUAL_TREE_CHROMA) - set_qp_y(lc, cu->x0, cu->y0, 0); + if (cu->tree_type != DUAL_TREE_CHROMA) { + ret = set_qp_y(lc, cu->x0, cu->y0, 0); + if (ret < 0) + return ret; + } if (rsps->sps_chroma_format_idc && cu->tree_type != DUAL_TREE_LUMA) set_qp_c(lc); ret = skipped_transform_tree(lc, cu->x0, cu->y0, cu->cb_width, cu->cb_height); @@ -1937,17 +1940,20 @@ static void palette_update_predictor(VVCLocalContext *lc, const bool local_dual_ } } -static void palette_qp(VVCLocalContext *lc, VVCTreeType tree_type, const bool escape_present) +static int palette_qp(VVCLocalContext *lc, VVCTreeType tree_type, const bool escape_present) { const VVCFrameContext *fc = lc->fc; const VVCPPS *pps = fc->ps.pps; const H266RawSliceHeader *rsh = lc->sc->sh.r; const CodingUnit *cu = lc->cu; + int ret; if (tree_type != DUAL_TREE_CHROMA) { const bool has_qp_delta = escape_present && pps->r->pps_cu_qp_delta_enabled_flag && !lc->parse.is_cu_qp_delta_coded; - set_qp_y(lc, cu->x0, cu->y0, has_qp_delta); + ret = set_qp_y(lc, cu->x0, cu->y0, has_qp_delta); + if (ret < 0) + return ret; } if (tree_type != DUAL_TREE_LUMA) { @@ -1955,6 +1961,8 @@ static void palette_qp(VVCLocalContext *lc, VVCTreeType tree_type, const bool es chroma_qp_offset_decode(lc, 0, 1); set_qp_c(lc); } + + return 0; } #define PALETTE_SET_PIXEL(xc, yc, pix) \ @@ -2123,7 +2131,9 @@ static int hls_palette_coding(VVCLocalContext *lc, const VVCTreeType tree_type) transpose = ff_vvc_palette_transpose_flag(lc); } - palette_qp(lc, tree_type, escape_present); + ret = palette_qp(lc, tree_type, escape_present); + if (ret < 0) + return ret; index[0] = 0; for (int i = 0; i <= (tu->tbs[0].tb_width * tu->tbs[0].tb_height - 1) >> 4; i++) { -- 2.52.0 >From b27e7f88740492fb116d51e60e261e47acace578 Mon Sep 17 00:00:00 2001 From: Frank Plowman <[email protected]> Date: Sat, 24 Jan 2026 13:41:31 +0000 Subject: [PATCH 2/2] lavc/vvc: Fix unchecked error codes from add_reconstructed_area --- libavcodec/vvc/intra.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/libavcodec/vvc/intra.c b/libavcodec/vvc/intra.c index 52a138ef1c..eccd8ee4c5 100644 --- a/libavcodec/vvc/intra.c +++ b/libavcodec/vvc/intra.c @@ -225,21 +225,23 @@ static int get_chroma_predict_unit(const CodingUnit *cu, const TransformUnit *tu } //8.4.5.1 General decoding process for intra blocks -static void predict_intra(VVCLocalContext *lc, const TransformUnit *tu, const int idx, const int target_ch_type) +static int predict_intra(VVCLocalContext *lc, const TransformUnit *tu, const int idx, const int target_ch_type) { const VVCFrameContext *fc = lc->fc; const CodingUnit *cu = lc->cu; const VVCTreeType tree_type = cu->tree_type; - int x0, y0, w, h; + int x0, y0, w, h, ret; if (cu->pred_mode != MODE_INTRA) { - add_reconstructed_area(lc, target_ch_type, tu->x0, tu->y0, tu->width, tu->height); - return; + ret = add_reconstructed_area(lc, target_ch_type, tu->x0, tu->y0, tu->width, tu->height); + return ret; } if (!target_ch_type && tree_type != DUAL_TREE_CHROMA) { if (get_luma_predict_unit(cu, tu, idx, &x0, &y0, &w, &h)) { ff_vvc_set_neighbour_available(lc, x0, y0, w, h); fc->vvcdsp.intra.intra_pred(lc, x0, y0, w, h, 0); - add_reconstructed_area(lc, 0, x0, y0, w, h); + ret = add_reconstructed_area(lc, 0, x0, y0, w, h); + if (ret < 0) + return ret; } } if (target_ch_type && tree_type != DUAL_TREE_LUMA) { @@ -251,9 +253,12 @@ static void predict_intra(VVCLocalContext *lc, const TransformUnit *tu, const in fc->vvcdsp.intra.intra_pred(lc, x0, y0, w, h, 1); fc->vvcdsp.intra.intra_pred(lc, x0, y0, w, h, 2); } - add_reconstructed_area(lc, 1, x0, y0, w, h); + ret = add_reconstructed_area(lc, 1, x0, y0, w, h); + if (ret < 0) + return ret; } } + return 0; } static void scale_clip(int *coeff, const int nzw, const int w, const int h, @@ -586,11 +591,14 @@ static int reconstruct(VVCLocalContext *lc) CodingUnit *cu = lc->cu; const int start = cu->tree_type == DUAL_TREE_CHROMA; const int end = fc->ps.sps->r->sps_chroma_format_idc && (cu->tree_type != DUAL_TREE_LUMA); + int ret; for (int ch_type = start; ch_type <= end; ch_type++) { TransformUnit *tu = cu->tus.head; for (int i = 0; tu; i++) { - predict_intra(lc, tu, i, ch_type); + ret = predict_intra(lc, tu, i, ch_type); + if (ret < 0) + return ret; itransform(lc, tu, ch_type); tu = tu->next; } @@ -726,10 +734,16 @@ int ff_vvc_reconstruct(VVCLocalContext *lc, const int rs, const int rx, const in if (cu->coded_flag) { ret = reconstruct(lc); } else { - if (cu->tree_type != DUAL_TREE_CHROMA) - add_reconstructed_area(lc, LUMA, cu->x0, cu->y0, cu->cb_width, cu->cb_height); - if (sps->r->sps_chroma_format_idc && cu->tree_type != DUAL_TREE_LUMA) - add_reconstructed_area(lc, CHROMA, cu->x0, cu->y0, cu->cb_width, cu->cb_height); + if (cu->tree_type != DUAL_TREE_CHROMA) { + ret = add_reconstructed_area(lc, LUMA, cu->x0, cu->y0, cu->cb_width, cu->cb_height); + if (ret < 0) + return ret; + } + if (sps->r->sps_chroma_format_idc && cu->tree_type != DUAL_TREE_LUMA) { + ret = add_reconstructed_area(lc, CHROMA, cu->x0, cu->y0, cu->cb_width, cu->cb_height); + if (ret < 0) + return ret; + } } if (sps->r->sps_ibc_enabled_flag) ibc_fill_vir_buf(lc, cu); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
