On Mon, Jun 24, 2024 at 02:01:42AM +0200, Andreas Rheinhardt wrote: > These values are not read anywhere. Furthermore, since commit > fe6037fd04db8837dcdb9013f9c4ad4e7eb0592e the linesize values > of the MPVWorkPictures were wrong for subsequent fields > in a chain of B-pictures (as they are always doubled and no longer > based upon the frame-linesizes) which can eventually lead to overflow. > > Finally, it makes no real sense to ever double the linesize > of the reference pictures at all: Even when the current picture > is a field, it can still reference both fields of reference > pictures and therefore the linesize should allow to address > both fields (for the same reason, data is not offset for > reference pictures). > > libavcodec/mpeg12dec.c:1304:41: runtime error: signed integer overflow: 4611686018427387904 * 2 cannot be represented in type 'long' > > issue: 69732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEGVIDEO_fuzzer-5123551179374592 > > Signed-off-by: Andreas Rheinhardt > --- > libavcodec/mpeg12dec.c | 2 -- > 1 file changed, 2 deletions(-) Tested, fixes the issue thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Some people wanted to paint the bikeshed green, some blue and some pink. People argued and fought, when they finally agreed, only rust was left.