The branch, master has been updated
via d80f8f36513ebff05c537adbe756e36036f80074 (commit)
via 8abeb879df66ea8d27ce1735925ced5a30813de4 (commit)
via 162f75b5e6798b385bb3eadd8280eff52d03cf29 (commit)
from 6e8cf0377fee75de9ad2cc87385ab3e8f2c87143 (commit)
- Log -----------------------------------------------------------------
commit d80f8f36513ebff05c537adbe756e36036f80074
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 01:17:46 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sat Nov 8 01:17:46 2025 +0100
avcodec/exr: spelling
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 4a504344c5..536a55c5be 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -176,7 +176,7 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
#define M(chr) (1<<chr - 'A')
- int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+ int has_channel; ///< combination of flags representing the channel codes
A-Z
GetByteContext gb;
const uint8_t *buf;
commit 8abeb879df66ea8d27ce1735925ced5a30813de4
Author: oblivionsage <[email protected]>
AuthorDate: Fri Nov 7 18:08:14 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sat Nov 8 01:16:39 2025 +0100
avcodec/rv60dec: add upper bound check for qp
The quantization parameter (qp) can exceed 63 when the base value
from frame header (0-63) is combined with the offset from slice data
(up to +2), resulting in qp=65. This causes out-of-bounds access to
the rv60_qp_to_idx[64] array in decode_cbp8(), decode_cbp16(), and
get_c4x4_set().
Fixes: Out-of-bounds read
Signed-off-by: oblivionsage <[email protected]>
No testsample is available
This is related to 61cbcaf93f3b2e10124f4c63ce7cd8dad6505fb2 and
clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5160167345291264
which fixed rv60_qp_to_idx[qp + 32] out of array access
These 2 checks are not redundant and neither covers the cases of the other
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 33728e33a0..b7b4f46512 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2265,7 +2265,7 @@ static int decode_slice(AVCodecContext *avctx, void
*tdata, int cu_y, int thread
ff_thread_progress_await(&s->progress[cu_y - 1], cu_x + 2);
qp = s->qp + read_qp_offset(&gb, s->qp_off_type);
- if (qp < 0) {
+ if (qp < 0 || qp >= 64) {
ret = AVERROR_INVALIDDATA;
break;
}
commit 162f75b5e6798b385bb3eadd8280eff52d03cf29
Author: veygax <[email protected]>
AuthorDate: Sun Nov 2 02:35:40 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 7 23:27:34 2025 +0100
avcodec/exr: use tile dimensions in pxr24 UINT case
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 2e500140e0..4a504344c5 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -748,12 +748,12 @@ static int pxr24_uncompress(const EXRContext *s, const
uint8_t *src,
break;
case EXR_UINT:
ptr[0] = in;
- ptr[1] = ptr[0] + s->xdelta;
- ptr[2] = ptr[1] + s->xdelta;
- ptr[3] = ptr[2] + s->xdelta;
- in = ptr[3] + s->xdelta;
+ ptr[1] = ptr[0] + td->xsize;
+ ptr[2] = ptr[1] + td->xsize;
+ ptr[3] = ptr[2] + td->xsize;
+ in = ptr[3] + td->xsize;
- for (j = 0; j < s->xdelta; ++j) {
+ for (j = 0; j < td->xsize; ++j) {
uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
(*(ptr[1]++) << 16) |
(*(ptr[2]++) << 8 ) |
-----------------------------------------------------------------------
Summary of changes:
libavcodec/exr.c | 12 ++++++------
libavcodec/rv60dec.c | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
