From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id AEF6A4E1DD for ; Wed, 14 Jan 2026 13:51:19 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'LKZwtFfO3QsOj8yZt9rCkav+4TNTPjt57DDvNhVUGAA=', expected b'3LYbVpk9no64tE+NODdNUk5zIWUCSKhb9hE3m0iFT3w=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768398670; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=LKZwtFfO3QsOj8yZt9rCkav+4TNTPjt57DDvNhVUGAA=; b=mxI2vPm06pWerwusoQ5V186ngphgHPZ4W0VwJcHUzX+jspItt5zI7NOek8io/Jgfr29dw LUiNbrb8C+uBq6ussT/+PSzCLBBzso2YtpSUa9fJIvndE1ax8FTBrom35sd9g6/sGnLfuRd 2d/m2Ryrvgm0IGO9p/LDNOkRy/s2L96P0c1fWSqLal2ww8BCZ0Un5SaNm4qpJjqlPle6Fyp 2GQVbS1StklWoQZahhXk3+SztYC89DU/s3c0p8AZpWIWCgQfCc7vL4o7g2a80CKrmz7AwWw HjyONBYtMvy5l/YjJ4DdJd3CZs3hUwXtcnVZejwt5gi0J0/ZpxM7cm7wwjzQ== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 1AA25690E1F; Wed, 14 Jan 2026 15:51:10 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768398655; b=cAAJ/6nMbyvxiTIXJXfhkS+iCL/j2jxzXG+uG+/DMp+C3hXN0ffgz99JAH/Dw1ExhzP32 X9JUs5YhnmUzMPmWzGG1h821Aaw0Bm9mO6bSisoD+7QkUitR47RKsZQOqrqmQmjRZARSWPg iOiijP4xSqSpIgxW961FtxAujuZkKwJXdJHn/atTsCYqzI+qP2BvCBXy8IWQqktP/BEV96L uzTaZ2isiuNY6f6of4+mOFhrKHn72Gb3PXWth/uayOI+Vf4fy1251FqpzHz7/iRnhCFDbyv /mrWgVcTArvtFx/FxNPJ+w3VSWE2mnCDMV7ELDLIvjUVTOkwAt//vCQ55aNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1768398655; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=XWt0dKjXRpyWeIQK9S6VBeCaqhPw+QIjSTihLrsY81g=; b=rLNSlyssDLjjKKef+kOzAI+TGgbLTF+GSJefnLWsQeTtOCplzBqe9sc90MONUZhdLkntX 1T0xQKUR0GDFAJgHNVeeDHeWo9pc4jcF1u1CsTVNdHetPZ0GVHaiC2pojreqiRmAGxX7rHK tY4dPAC0+UXFh5WZ1ovIxRj9+dyi/LgQi3xuj9VQAkIDkjwo7hF7Zdjfaf5u47frFmFxrFZ Y3F8auPPUeJ2bnkvBY62BpL4hnmD8jdvxVEuiqUdLBJyJB7k3/NMFvvFoX40XTIzcnuyH66 AqNgxYWMbjq+3wwldgp6JddMO4YDLsNUd30bTn31Rj0eeAGUYh1W4oAPIhVQ== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768398649; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=3LYbVpk9no64tE+NODdNUk5zIWUCSKhb9hE3m0iFT3w=; b=cVLQ5m1nqWEQ0/9wRnbX441/J+mvzTKqXViHRmAUxpRb7KMryaHl5CxVGGlMFgTVhP/Y7 7kQPpXY1z076IvXNzrDuKoD+Puuw3wpOk6Y01auiHbMb18lWtMkmh+4MEiEJdkiHSlCxfNb kWbMvsiqPqjXuatsMs/PK9wVHcHF7K8QCLNClAPHkrTEZx/HZcpowD8aoRLPjlkCnkSczHP SHJbKyz+EILpb74KmMHnI3mCr+OFmcRHxfXg3cgnH271B9jb/qJ+sBEXQj2BLIcBdj9w/ry vUYMSmPZvvQEGh8OwptzbtRoVcSySNWnQ720rlYAZo7mMQQngPhgG+zzN9Dw== Received: from f7c34508609e (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 0154C690D74 for ; Wed, 14 Jan 2026 15:50:48 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Wed, 14 Jan 2026 13:50:48 -0000 Message-ID: <176839864913.25.4347598417601066205@4457048688e7> Message-ID-Hash: NSMLL2RRF6JFKVF4EGTPQN75OIX2QHB5 X-Message-ID-Hash: NSMLL2RRF6JFKVF4EGTPQN75OIX2QHB5 X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avcodec/vc1dec: check return values of all init_get_bits() calls (PR #21466) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: James Almer via ffmpeg-devel Cc: James Almer Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21466 opened by James Almer (jamrial) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21466 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21466.patch And replace them with init_get_bits8, to prevent integer overflows on huge values. Fixes issue #21463. >>From 8883736fa0caa5df5745c4f54f9178a173f659a5 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 14 Jan 2026 10:48:42 -0300 Subject: [PATCH] avcodec/vc1dec: check return values of all init_get_bits() calls And replace them with init_get_bits8, to prevent integer overflows on huge values. Fixes issue #21463. Signed-off-by: James Almer --- libavcodec/vc1dec.c | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 72bc810ce7..6bf3a7aa9b 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -683,7 +683,11 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (size <= 0) continue; buf2_size = v->vc1dsp.vc1_unescape_buffer(start + 4, size, buf2); - init_get_bits(&gb, buf2, buf2_size * 8); + ret = init_get_bits8(&gb, buf2, buf2_size); + if (ret < 0) { + av_free(buf2); + return ret; + } switch (AV_RB32(start)) { case VC1_CODE_SEQHDR: if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0) { @@ -888,8 +892,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict, } buf_size3 = v->vc1dsp.vc1_unescape_buffer(start + 4, size, slices[n_slices].buf); - init_get_bits(&slices[n_slices].gb, slices[n_slices].buf, - buf_size3 << 3); + ret = init_get_bits8(&slices[n_slices].gb, slices[n_slices].buf, buf_size3); + if (ret < 0) { + ret = AVERROR(ENOMEM); + goto err; + } slices[n_slices].mby_start = avctx->coded_height + 31 >> 5; slices[n_slices].rawbuf = start; slices[n_slices].raw_size = size + 4; @@ -899,7 +906,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict, } case VC1_CODE_ENTRYPOINT: /* it should be before frame data */ buf_size2 = v->vc1dsp.vc1_unescape_buffer(start + 4, size, buf2); - init_get_bits(&v->gb, buf2, buf_size2 * 8); + ret = init_get_bits8(&v->gb, buf2, buf_size2); + if (ret < 0) { + ret = AVERROR(ENOMEM); + goto err; + } ff_vc1_decode_entry_point(avctx, v, &v->gb); break; case VC1_CODE_SLICE: { @@ -918,8 +929,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict, } buf_size3 = v->vc1dsp.vc1_unescape_buffer(start + 4, size, slices[n_slices].buf); - init_get_bits(&slices[n_slices].gb, slices[n_slices].buf, - buf_size3 << 3); + ret = init_get_bits8(&slices[n_slices].gb, slices[n_slices].buf, buf_size3); + if (ret < 0) { + ret = AVERROR(ENOMEM); + goto err; + } slices[n_slices].mby_start = get_bits(&slices[n_slices].gb, 9); slices[n_slices].rawbuf = start; slices[n_slices].raw_size = size + 4; @@ -952,8 +966,11 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict, goto err; } buf_size3 = v->vc1dsp.vc1_unescape_buffer(divider + 4, buf + buf_size - divider - 4, slices[n_slices].buf); - init_get_bits(&slices[n_slices].gb, slices[n_slices].buf, - buf_size3 << 3); + ret = init_get_bits8(&slices[n_slices].gb, slices[n_slices].buf, buf_size3); + if (ret < 0) { + ret = AVERROR(ENOMEM); + goto err; + } slices[n_slices].mby_start = s->mb_height + 1 >> 1; slices[n_slices].rawbuf = divider; slices[n_slices].raw_size = buf + buf_size - divider; @@ -964,7 +981,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict, } else { buf_size2 = v->vc1dsp.vc1_unescape_buffer(buf, buf_size, buf2); } - init_get_bits(&v->gb, buf2, buf_size2*8); + ret = init_get_bits8(&v->gb, buf2, buf_size2); + if (ret < 0) + return ret; } else{ ret = init_get_bits8(&v->gb, buf, buf_size); if (ret < 0) -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org