The branch, master has been updated
via 88b676105dd20ea72b39c0627e1a4b8d6b071f33 (commit)
via 9ccc33d84dda2e6ec4f6773b2b3a2debf1b3b055 (commit)
from ad956ff076ea808e5d64c9ac17c1bfc1ba7d0cc0 (commit)
- Log -----------------------------------------------------------------
commit 88b676105dd20ea72b39c0627e1a4b8d6b071f33
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Nov 7 01:53:17 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 16 21:43:17 2025 +0100
avcodec/prores_raw: Check bits in get_value()
The code loads 32bit so we can at maximum use 32bit
the return type is also changed to uint16_t (was requested in review),
no path is known where a return value above 32767 is produced, but that was
not exhaustively checked
Fixes: runtime error: shift exponent -9 is negative
Fixes:
439483046/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_RAW_DEC_fuzzer-6649466540326912
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c
index 69ecec986c..7017480336 100644
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -59,7 +59,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
return 0;
}
-static int16_t get_value(GetBitContext *gb, int16_t codebook)
+static uint16_t get_value(GetBitContext *gb, int16_t codebook)
{
const int16_t switch_bits = codebook >> 8;
const int16_t rice_order = codebook & 0xf;
@@ -83,6 +83,8 @@ static int16_t get_value(GetBitContext *gb, int16_t codebook)
}
bits = exp_order + (q << 1) - switch_bits;
+ if (bits > 32)
+ return 0; // we do not return a negative error code so that we dont
produce out of range values on errors
skip_bits_long(gb, bits);
return (b >> (32 - bits)) +
((switch_bits + 1) << rice_order) -
@@ -145,7 +147,7 @@ static int decode_comp(AVCodecContext *avctx, TileContext
*tile,
int16_t dc_add = 0;
int16_t dc_codebook;
- int16_t ac, rn, ln;
+ uint16_t ac, rn, ln;
int16_t ac_codebook = 49;
int16_t rn_codebook = 0;
int16_t ln_codebook = 66;
commit 9ccc33d84dda2e6ec4f6773b2b3a2debf1b3b055
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Nov 7 01:47:40 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 16 21:34:38 2025 +0100
avcodec/prores_raw: Prettify ff_prores_raw_*_cb
the values contain 3 4 bit values, thus using hex is more natural
and shows more information
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c
index 9bc76da698..69ecec986c 100644
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -97,30 +97,30 @@ static const uint8_t align_tile_w[16] = {
#define DC_CB_MAX 12
const uint8_t ff_prores_raw_dc_cb[DC_CB_MAX + 1] = {
- 16, 33, 50, 51, 51, 51, 68, 68, 68, 68, 68, 68, 118,
+ 0x010, 0x021, 0x032, 0x033, 0x033, 0x033, 0x044, 0x044, 0x044, 0x044,
0x044, 0x044, 0x076,
};
#define AC_CB_MAX 94
const int16_t ff_prores_raw_ac_cb[AC_CB_MAX + 1] = {
- 0, 529, 273, 273, 546, 546, 546, 290, 290, 290, 563, 563,
- 563, 563, 563, 563, 563, 563, 307, 307, 580, 580, 580, 580,
- 580, 580, 580, 580, 580, 580, 580, 580, 580, 580, 580, 580,
- 580, 580, 580, 580, 580, 580, 853, 853, 853, 853, 853, 853,
- 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853,
- 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853,
- 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853,
- 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 358
+ 0x000, 0x211, 0x111, 0x111, 0x222, 0x222, 0x222, 0x122, 0x122, 0x122,
+ 0x233, 0x233, 0x233, 0x233, 0x233, 0x233, 0x233, 0x233, 0x133, 0x133,
+ 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244,
0x244,
+ 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244,
0x244,
+ 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355,
0x355, 0x355, 0x355,
+ 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355,
0x355, 0x355, 0x355,
+ 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355,
0x355, 0x355, 0x355,
+ 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355,
0x355, 0x355, 0x355, 0x166,
};
#define RN_CB_MAX 27
const int16_t ff_prores_raw_rn_cb[RN_CB_MAX + 1] = {
- 512, 256, 0, 0, 529, 529, 273, 273, 17, 17, 33, 33, 546,
- 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 50, 50, 68,
+ 0x200, 0x100, 0x000, 0x000, 0x211, 0x211, 0x111, 0x111, 0x011, 0x011,
0x021, 0x021, 0x222, 0x022,
+ 0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 0x022,
0x022, 0x032, 0x032, 0x044
};
#define LN_CB_MAX 14
const int16_t ff_prores_raw_ln_cb[LN_CB_MAX + 1] = {
- 256, 273, 546, 546, 290, 290, 1075, 1075, 563, 563, 563, 563, 563, 563, 51
+ 0x100, 0x111, 0x222, 0x222, 0x122, 0x122, 0x433, 0x433, 0x233, 0x233,
0x233, 0x233, 0x233, 0x233, 0x033,
};
static int decode_comp(AVCodecContext *avctx, TileContext *tile,
-----------------------------------------------------------------------
Summary of changes:
libavcodec/prores_raw.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
