PR #21285 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21285 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21285.patch
>From f559146bb79277e0bb52d117516f93f7bb7ae28a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 23 Dec 2025 16:22:23 +0100 Subject: [PATCH 1/2] avcodec/dca_xll: Check get_rice_array() Fixes: use of uninitialized memory Fixes: 451655450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_DEC_fuzzer-6527248623796224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/dca_xll.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/dca_xll.c b/libavcodec/dca_xll.c index 0e9a4e77e7..86e992bf1c 100644 --- a/libavcodec/dca_xll.c +++ b/libavcodec/dca_xll.c @@ -64,12 +64,16 @@ static void get_linear_array(GetBitContext *gb, int32_t *array, int size, int n) array[i] = get_linear(gb, n); } -static void get_rice_array(GetBitContext *gb, int32_t *array, int size, int k) +static int get_rice_array(GetBitContext *gb, int32_t *array, int size, int k) { int i; - for (i = 0; i < size; i++) + for (i = 0; i < size && get_bits_left(gb) > k; i++) array[i] = get_rice(gb, k); + + if (i < size) + return AVERROR_INVALIDDATA; + return 0; } static int parse_dmix_coeffs(DCAXllDecoder *s, DCAXllChSet *c) @@ -529,8 +533,10 @@ static int chs_parse_band_data(DCAXllDecoder *s, DCAXllChSet *c, int band, int s } else { // Rice codes // Unpack all residuals of part A of segment 0 - get_rice_array(&s->gb, part_a, c->nsamples_part_a[k], - c->bitalloc_part_a[k]); + int ret = get_rice_array(&s->gb, part_a, c->nsamples_part_a[k], + c->bitalloc_part_a[k]); + if (ret < 0) + return ret; if (c->bitalloc_hybrid_linear[k]) { // Hybrid Rice codes @@ -560,7 +566,9 @@ static int chs_parse_band_data(DCAXllDecoder *s, DCAXllChSet *c, int band, int s } else { // Rice codes // Unpack all residuals of part B of segment 0 and others - get_rice_array(&s->gb, part_b, nsamples_part_b, c->bitalloc_part_b[k]); + ret = get_rice_array(&s->gb, part_b, nsamples_part_b, c->bitalloc_part_b[k]); + if (ret < 0) + return ret; } } } -- 2.49.1 >From 09bdd5b7ecf2b98e5cb7e916fdcd456e521476db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 23 Dec 2025 16:24:22 +0100 Subject: [PATCH 2/2] avcodec/dca_xll: Clear padding in pbr_buffer The testcase is already fixed by the previous commit Fixes: use of uninitilaized memory Fixes: 451655450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_DEC_fuzzer-6527248623796224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/dca_xll.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca_xll.c b/libavcodec/dca_xll.c index 86e992bf1c..20ace57271 100644 --- a/libavcodec/dca_xll.c +++ b/libavcodec/dca_xll.c @@ -1102,6 +1102,7 @@ static int copy_to_pbr(DCAXllDecoder *s, const uint8_t *data, int size, int dela return AVERROR(ENOMEM); memcpy(s->pbr_buffer, data, size); + memset(s->pbr_buffer + size, 0, DCA_XLL_PBR_BUFFER_MAX + AV_INPUT_BUFFER_PADDING_SIZE - size); s->pbr_length = size; s->pbr_delay = delay; return 0; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
