[FFmpeg-devel] [PR] avcodec/cbs_h266_syntax_template: Bound num_tile_columns/rows (PR #21791)

Wed, 18 Feb 2026 18:30:17 -0800 

PR #21791 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21791
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21791.patch

Fixes: out of array access
Fixes: crash_vvc_heap_oob_read.bin

Found-by: akshay jain <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>


>From a832972cf624278bd31d4bb31d54492ae6514b7d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Thu, 19 Feb 2026 00:30:54 +0100
Subject: [PATCH] avcodec/cbs_h266_syntax_template: Bound num_tile_columns/rows

Fixes: out of array access
Fixes: crash_vvc_heap_oob_read.bin

Found-by: akshay jain <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/cbs_h266_syntax_template.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/cbs_h266_syntax_template.c 
b/libavcodec/cbs_h266_syntax_template.c
index 4f6ae76e27..4fc82704d1 100644
--- a/libavcodec/cbs_h266_syntax_template.c
+++ b/libavcodec/cbs_h266_syntax_template.c
@@ -1973,14 +1973,14 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, 
RWContext *rw,
                 tile_y = tile_idx / current->num_tile_columns;
                 if (tile_x != current->num_tile_columns - 1) {
                     ues(pps_slice_width_in_tiles_minus1[i],
-                        0, current->num_tile_columns - 1, 1, i);
+                        0, current->num_tile_columns - 1 - tile_x, 1, i);
                 } else {
                     infer(pps_slice_width_in_tiles_minus1[i], 0);
                 }
                 if (tile_y != current->num_tile_rows - 1 &&
                     (current->pps_tile_idx_delta_present_flag || tile_x == 0)) 
{
                     ues(pps_slice_height_in_tiles_minus1[i],
-                        0, current->num_tile_rows - 1, 1, i);
+                        0, current->num_tile_rows - 1 - tile_y, 1, i);
                 } else {
                     if (tile_y == current->num_tile_rows - 1)
                         infer(pps_slice_height_in_tiles_minus1[i], 0);
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to