PR #22434 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22434 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22434.patch
Fixes: integer overflow Fixes: 490241717/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZLIB_DEC_fuzzer-4560518961758208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From 1647000a253a41e35df8d41f090ff4042ba7b3e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sat, 7 Mar 2026 13:41:38 +0100 Subject: [PATCH] avcodec/lcldec: Fixes uqvq overflow Fixes: integer overflow Fixes: 490241717/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZLIB_DEC_fuzzer-4560518961758208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/lcldec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index b439dbe25e..e9d4283eef 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -175,7 +175,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, int height = avctx->height; // Real image height unsigned int mszh_dlen; unsigned char yq, y1q, uq, vq; - int uqvq, ret; + int ret; unsigned int mthread_inlen, mthread_outlen; unsigned int len = buf_size; int linesize, offset; @@ -306,7 +306,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, for (row = 0; row < height; row++) { pixel_ptr = row * width * 3; yq = encoded[pixel_ptr++]; - uqvq = AV_RL16(encoded+pixel_ptr); + unsigned uqvq = AV_RL16(encoded+pixel_ptr); pixel_ptr += 2; for (col = 1; col < width; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
