This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch master in repository ffmpeg.
commit 82f097c825237219557a14918b74fa254121a6de Author: Michael Niedermayer <[email protected]> AuthorDate: Sun Feb 22 21:51:01 2026 +0100 Commit: Michael Niedermayer <[email protected]> CommitDate: Fri Jun 12 01:44:34 2026 +0200 avcodec/hevc/ps: Check window parameters Fixes: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int' Fixes: 484567435/clusterfuzz-testcase-minimized-ffmpeg_dem_HXVS_fuzzer-5628836988649472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/hevc/ps.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index d915b804d7..9875893ad0 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -71,6 +71,13 @@ static int read_window(HEVCWindow *window, GetBitContext *gb, int chroma_format_ int64_t top = get_ue_golomb_long(gb) * vert_mult; int64_t bottom = get_ue_golomb_long(gb) * vert_mult; + if (left < 0 || right < 0 || top < 0 || bottom < 0 || + w <= left + right || + h <= top + bottom) { + memset(window, 0, sizeof(*window)); + return AVERROR_INVALIDDATA; + } + window->left_offset = left; window->right_offset = right; window->top_offset = top; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
