PR #21785 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21785 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21785.patch
The code assumes that (a+b)+c = a+(b+c) but this does not hold true when clipping occurred. A better fix is to use int64_t or ensure clipping always cancels Fixes: error becoming negative Fixes: 472729757/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5712538546536448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From cecb39fe619391d0960ceec6cfe9ed29b26706d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 16 Feb 2026 03:34:25 +0100 Subject: [PATCH] avcodec/elbg: error out from try_shift_candidate() when clipping occurred The code assumes that (a+b)+c = a+(b+c) but this does not hold true when clipping occurred. A better fix is to use int64_t or ensure clipping always cancels Fixes: error becoming negative Fixes: 472729757/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5712538546536448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/elbg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/elbg.c b/libavcodec/elbg.c index 84043af4fd..37bc955bc2 100644 --- a/libavcodec/elbg.c +++ b/libavcodec/elbg.c @@ -302,6 +302,9 @@ static void try_shift_candidate(ELBGContext *elbg, int idx[3]) for (j=0; j<3; j++) olderror += elbg->utility[idx[j]]; + if (olderror >= INT_MAX) + return; + memset(newcentroid[2], 0, elbg->dim*sizeof(int)); for (k=0; k<2; k++) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
