This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 52af067ac267f9c37a532d358545a9b739524f5b Author: Michael Niedermayer <[email protected]> AuthorDate: Sat Jun 6 18:51:04 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:41:07 2026 +0200 avcodec/rv10, rv34: check init_get_bits8() before RealVideo bit access Found-by: Samarth Kumbla <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 0c662529f66c289dc90b5c9e7b7c56a385ab92d8) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/rv10.c | 3 ++- libavcodec/rv34.c | 11 ++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 1958f36c98..68fc69961c 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -415,8 +415,9 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf, H263DecContext *const h = &rv->h; int mb_count, mb_pos, left, start_mb_x, active_bits_size, ret; + if ((ret = init_get_bits8(&h->gb, buf, FFMAX(buf_size, buf_size2))) < 0) + return ret; active_bits_size = buf_size * 8; - init_get_bits(&h->gb, buf, FFMAX(buf_size, buf_size2) * 8); if (h->c.codec_id == AV_CODEC_ID_RV10) mb_count = rv10_decode_picture_header(h); else diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index f78b91e7df..6942cc2e20 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1427,7 +1427,9 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int int mb_pos, slice_type; int res; - init_get_bits(gb, buf, buf_size*8); + res = init_get_bits8(gb, buf, buf_size); + if (res < 0) + return res; res = r->parse_slice_header(r, gb, &r->si); if(res < 0){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect or unknown slice header\n"); @@ -1647,7 +1649,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, AVFrame *pict, av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return AVERROR_INVALIDDATA; } - init_get_bits(&r->gb, buf+offset, (buf_size-offset)*8); + if ((ret = init_get_bits8(&r->gb, buf+offset, buf_size-offset)) < 0) + return ret; if (r->parse_slice_header(r, &r->gb, &si) < 0 || si.start) { av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return AVERROR_INVALIDDATA; @@ -1777,7 +1780,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, AVFrame *pict, av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } - init_get_bits(&r->gb, buf+offset1, (buf_size-offset1)*8); + ret = init_get_bits8(&r->gb, buf+offset1, buf_size-offset1); + if (ret < 0) + return ret; if (r->parse_slice_header(r, &r->gb, &si) < 0) { size = offset2 - offset; }else _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
