PR #23382 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23382 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23382.patch
Found-by: Samarth Kumbla <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> >From fb80ae31fc9ed471ada54c5a3b3d3e2a65cd2661 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sat, 6 Jun 2026 18:51:04 +0200 Subject: [PATCH] avcodec/rv10, rv34: check init_get_bits8() before RealVideo bit access Found-by: Samarth Kumbla <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/rv10.c | 3 ++- libavcodec/rv34.c | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 1958f36c98..237a211d85 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -416,7 +416,8 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf, int mb_count, mb_pos, left, start_mb_x, active_bits_size, ret; active_bits_size = buf_size * 8; - init_get_bits(&h->gb, buf, FFMAX(buf_size, buf_size2) * 8); + if ((ret = init_get_bits8(&h->gb, buf, FFMAX(buf_size, buf_size2))) < 0) + return ret; if (h->c.codec_id == AV_CODEC_ID_RV10) mb_count = rv10_decode_picture_header(h); else diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 874b4232d9..064b3bae53 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1661,7 +1661,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, AVFrame *pict, av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return AVERROR_INVALIDDATA; } - init_get_bits(&r->gb, buf+offset, (buf_size-offset)*8); + if ((ret = init_get_bits8(&r->gb, buf+offset, buf_size-offset)) < 0) + return ret; if (r->parse_slice_header(r, &r->gb, &si) < 0 || si.start) { av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return AVERROR_INVALIDDATA; @@ -1791,8 +1792,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, AVFrame *pict, av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } - init_get_bits(&r->gb, buf+offset1, (buf_size-offset1)*8); - if (r->parse_slice_header(r, &r->gb, &si) < 0) { + if (init_get_bits8(&r->gb, buf+offset1, buf_size-offset1) < 0 || + r->parse_slice_header(r, &r->gb, &si) < 0) { size = offset2 - offset; }else r->si.end = si.start; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
