[FFmpeg-devel] [PR] avcodec/vorbisdec: Check remaining bits (PR #22433)

[michaelni via ffmpeg-devel]

PR #22433 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22433
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22433.patch

Fixes: Timeout (note this still takes 17sec after this patch)
Fixes: 
490144337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_DEC_fuzzer-4539724776931328

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>


>From 5327b45d1f361a35c69f71d2b5cc45a26f552ec8 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <mich...@niedermayer.cc>
Date: Sat, 7 Mar 2026 13:16:32 +0100
Subject: [PATCH] avcodec/vorbisdec: Check remaining bits

Fixes: Timeout (note this still takes 17sec after this patch)
Fixes: 
490144337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_DEC_fuzzer-4539724776931328

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/vorbisdec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index aff95f44a9..a0b35eb8a8 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -1126,6 +1126,8 @@ static int vorbis_floor0_decode(vorbis_context *vc,
     if (!vf->amplitude_bits)
         return 1;
 
+    if (get_bits_left(&vc->gb) < vf->amplitude_bits)
+        return AVERROR_INVALIDDATA;
     amplitude = get_bits64(&vc->gb, vf->amplitude_bits);
     if (amplitude > 0) {
         float last = 0;
@@ -1241,12 +1243,16 @@ static int vorbis_floor1_decode(vorbis_context *vc,
     unsigned partition_class, cdim, cbits, csub, cval, offset, i, j;
     int book, adx, ady, dy, off, predicted, err;
 
+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
 
     if (!get_bits1(gb)) // silence
         return 1;
 
 // Read values (or differences) for the floor's points
 
+    if (get_bits_left(gb) < 2*ilog(range - 1))
+        return AVERROR_INVALIDDATA;
     floor1_Y[0] = get_bits(gb, ilog(range - 1));
     floor1_Y[1] = get_bits(gb, ilog(range - 1));
 
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-le...@ffmpeg.org