[FFmpeg-cvslog] apv_decode: Discard invalid run codes earlier

Tue, 13 May 2025 13:01:28 -0700 

ffmpeg | branch: master | Mark Thompson <s...@jkqxz.net> | Tue May 13 20:50:38 
2025 +0100| [527d5eaec70291d2845aca936dd64090fc226859] | committer: Mark 
Thompson

apv_decode: Discard invalid run codes earlier

Caught by ubsan - would cause an invalid shift in constructing the
run value.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=527d5eaec70291d2845aca936dd64090fc226859
---

 libavcodec/apv_entropy.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/libavcodec/apv_entropy.c b/libavcodec/apv_entropy.c
index 49d5505b6b..1cab88d547 100644
--- a/libavcodec/apv_entropy.c
+++ b/libavcodec/apv_entropy.c
@@ -278,6 +278,13 @@ int ff_apv_entropy_decode_block(int16_t *restrict coeff,
             bits = next_bits & 0xffff;
             // Determine code length.
             leading_zeroes = 15 - av_log2(bits);
+            if (leading_zeroes >= 6) {
+                // 6 zeroes implies run > 64, which is always invalid.
+                av_log(state->log_ctx, AV_LOG_ERROR,
+                       "Out-of-range run value: %d leading zeroes.\n",
+                       leading_zeroes);
+                return AVERROR_INVALIDDATA;
+            }
             // Extract the low bits.
             low_bit_count = leading_zeroes;
             low_bit_shift = 16 - (1 + 2 * leading_zeroes);
@@ -443,6 +450,13 @@ int ff_apv_entropy_decode_block(int16_t *restrict coeff,
             bits = next_bits & 0xffff;
             // Determine code length.
             leading_zeroes = 15 - av_log2(bits);
+            if (leading_zeroes >= 6) {
+                // 6 zeroes implies run > 64, which is always invalid.
+                av_log(state->log_ctx, AV_LOG_ERROR,
+                       "Out-of-range run value: %d leading zeroes.\n",
+                       leading_zeroes);
+                return AVERROR_INVALIDDATA;
+            }
             // Extract the low bits.
             low_bit_count = leading_zeroes + k_run;
             low_bit_shift = 16 - (1 + 2 * leading_zeroes + k_run);

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to