On Sat, Jun 21, 2025 at 11:15:21PM +0200, Michael Niedermayer wrote: > Fixes: heap-buffer-overflow > Fixes: 418421333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-6592025183191040 > Fixes: 418804929/clusterfuzz-testcase-minimized-ffmpeg_BSF_APV_METADATA_fuzzer-5773904646045696 > Fixes: 420737045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-5535272169439232 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/cbs_apv_syntax_template.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavcodec/cbs_apv_syntax_template.c b/libavcodec/cbs_apv_syntax_template.c > index fc8a08ff31d..b84565b1076 100644 > --- a/libavcodec/cbs_apv_syntax_template.c > +++ b/libavcodec/cbs_apv_syntax_template.c > @@ -236,6 +236,8 @@ static int FUNC(tile)(CodedBitstreamContext *ctx, RWContext *rw, > #ifdef READ > int pos = get_bits_count(rw); > av_assert0(pos % 8 == 0); > + if (get_bits_left(rw) < 8LL * comp_size) > + return AVERROR_INVALIDDATA; > current->tile_data[c] = (uint8_t*)align_get_bits(rw); > skip_bits_long(rw, 8 * comp_size); > #else will apply there has been a similar patch posted to ffmpeg-security that adds this error message: + av_log(ctx->log_ctx, AV_LOG_ERROR, + "Tile component size %u exceeds unit data remaining " \ + "(%d bytes left for %u declared).\n", + comp_size, get_bits_left(rw) / 8, comp_size); what do people think of this ? should we add more detailed error messages ? thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The educated differ from the uneducated as much as the living from the dead. -- Aristotle