From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id EED1A48D0E for ; Fri, 15 Aug 2025 19:39:48 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id CF82E68D2DC; Fri, 15 Aug 2025 22:39:44 +0300 (EEST) Received: from 1e8b7847f7d1 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 54B2A68D271 for ; Fri, 15 Aug 2025 22:39:43 +0300 (EEST) MIME-Version: 1.0 From: michaelni To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] =?utf-8?q?=5BPATCH=5D_avcodec/rv60dec=3A_clear_pu?= =?utf-8?b?X2luZm8gKFBSICMyMDI0OSk=?= X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Message-Id: <20250815193944.CF82E68D2DC@ffbox0-bg.ffmpeg.org> Date: Fri, 15 Aug 2025 22:39:44 +0300 (EEST) Archived-At: List-Archive: List-Post: PR #20249 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20249 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20249.patch pu_info is read uninitialized on damaged input and at that point the following codepath is dependant on the uninitialized data. In one of these pathes out of array accesses happen. None of this is replicatable Less uninitialized data also should result in more reproducable reports Fixes: Use of uninitialized memory Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer >From 75215e7fb6fd8e609e899bc1ecd598ecd888cdb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Aug 2025 19:49:19 +0200 Subject: [PATCH] avcodec/rv60dec: clear pu_info pu_info is read uninitialized on damaged input and at that point the following codepath is dependant on the uninitialized data. In one of these pathes out of array accesses happen. None of this is replicatable Less uninitialized data also should result in more reproducable reports Fixes: Use of uninitialized memory Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/rv60dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c index 4a3d9067db..208fbc68f7 100644 --- a/libavcodec/rv60dec.c +++ b/libavcodec/rv60dec.c @@ -308,6 +308,8 @@ static int update_dimensions_clear_info(RV60Context *s, int width, int height) if ((ret = av_reallocp_array(&s->blk_info, s->blk_stride * (s->cu_height << 4), sizeof(s->blk_info[0]))) < 0) return ret; + memset(s->pu_info, 0, s->pu_stride * (s->cu_height << 3) * sizeof(s->pu_info[0])); + for (int j = 0; j < s->cu_height << 4; j++) for (int i = 0; i < s->cu_width << 4; i++) s->blk_info[j*s->blk_stride + i].mv.mvref = MVREF_NONE; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".