From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 6353E4EACA for ; Wed, 11 Feb 2026 14:59:30 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'wYTaEyVgxA1hZWWNWn9Ler/wwnP3oEnFiZmOHMAnfW4=', expected b'wlkevCfu/tlBc5nnqp4xqdD+40NjjZzRLn0ai7w3MkM=')) header.d=gmail.com header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1770821963; h=to : date : message-id : mime-version : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=bbKbXavDxzIBZ2x2v1lm35i+Y+JrRFgaBlVxYC2LSZE=; b=1q2bgSwCxysxKtxYiWbv45YjCyDOhM/LoF3Z+P8gwdainYp4lc1JGBEMNDwAyfh3XfE0k OT3/u7Zca1/xaHfEcIFrvW2jCEySeSqTNmVc89Ue7Z3gBgcVYpjU4AW9bVIY+kyJXJiAY9M XBUiOONyLtP+lLjiprzTxkOPtvWfUa57xD8jMYjJl8ETSv0vWxDKzwDbnmRKvkGRGgYR0F9 wBz4ZQmKgAhXY8fZo63W1vD790i99TXOtj4YH4mew2a7acyiO8dL5e5I0K+Uwk0SrpvvrLf oI2skpx5X+e/hUTaqHQaW0BkIS3cju3tg1nFuSbzIe0XxK148tQx1Ol3WDEA== Received: from [172.20.0.3] (unknown [172.20.0.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 9F835691AEB; Wed, 11 Feb 2026 16:59:23 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1770821954; b=rmFapmK/qg4jLIJy/LE3CohO4OILi+Vm7iQnIUacGQCVdzaKPNgYXizJ8bPHtu2gecKfw 4NKqvfwxYCkWt5jp03ogtLXfWFaqZGjlgWM5bvEI9RcDqgMjyB0Mt62NGur6mz+3YIS6ofp cudn4z4eZNDueo7tqxmTRsCPpLeCOiGtwHeIpf6lpNU0dmXnKT+K0NP2FpreB77sMhwU0et rz44T3zoqSN4grhNQuJ+Z67pfu4c0mOCsgNWXDegy1VTquMPeD2jwYQib6P88dfd66W0vKV v0JzpnGBiUclu6dJcV91s+gWR1nJ7gtZ76j8ReDJUNby16/nb5Hc2g6b93Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1770821954; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=wYTaEyVgxA1hZWWNWn9Ler/wwnP3oEnFiZmOHMAnfW4=; b=Lz5lGfk+sepueaDCHwbbvn95xT7/Mdfp+TZBY68Q4ibj0FmPYqdLqD7NlFLzVuu9nJbGd 8WNq15a1H0oM+ICk6wZALqUJpjFd5uarXdQ20Q9c1sGvYC6aNrJHvE+wvaPB05vs6rLKx1W zJ7C02sGG99cvYCsOpeNIgDUEWEE63KgdwW4R766vF2bCiv/zqPuUJD85lCtOo0fG4oqtx4 Db66TVw7YCN+E2A9cJGnGhaZ0O/n+0c0H+x01GPJPtqDYUwFJwvUEWe9chWIcam1CiNtz32 xjRpGYjGi2nNK0dZTlOq+3kFOfu8eNpxRRuDb/Fu8oIiwcRSGzprIWkon/0Q== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=gmail.com; arc=none; dmarc=pass header.from=gmail.com policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=gmail.com; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=gmail.com policy.dmarc=quarantine Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 83D236912DC for ; Tue, 10 Feb 2026 10:55:59 +0200 (EET) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-8217f2ad01eso4497913b3a.2 for ; Tue, 10 Feb 2026 00:55:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770713757; x=1771318557; darn=ffmpeg.org; h=mime-version:content-transfer-encoding:msip_labels:content-language :accept-language:message-id:date:thread-index:thread-topic:subject :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wlkevCfu/tlBc5nnqp4xqdD+40NjjZzRLn0ai7w3MkM=; b=X3CKxsDjUEkvJMCMBqJOWqbbQk/5w3S5/h2cfOP3M4JlJaFt5Rfpf+wIOh7krDEPgf Lq7rANCXlyno2DIvtsCamSCQ/0tsqsKd05FPfASt+wp84ZJ+fHyfUYLOOneMZ30vceGi VHtCYIwSiRxqFWdjashd9VITFOjfBIaAw/Y2NjcUBqiJCMrOPVhUzsBPzcviWkF3hDLW wRdTH0in1SA1CvzTT8w6bV1jHzzl9dWZpBCSjDWjpjFgFOM+YMQhouOM2Lr7+ooEdPId VGsaNA0DFaaC6SprgT2OvzrEunJ9rwSOdXG25xePkcUqB7hmNYntLxRr0/WV5m0yeGel 52Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770713757; x=1771318557; h=mime-version:content-transfer-encoding:msip_labels:content-language :accept-language:message-id:date:thread-index:thread-topic:subject :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wlkevCfu/tlBc5nnqp4xqdD+40NjjZzRLn0ai7w3MkM=; b=BO0gWlBcCWb7qsGGq10zZdIPlidmICR1Yb9i/c2XjtNOh5eEC2fvwN2hbjUrLowUfn w7Jm1KN8s1bM7eOLdWzfYt8Az6+ED85moUx9eGxa5jIpc2GVxo06SNSrnNuuYVD0Ij0F DXpfeSI72Zn+4+Nt5g4ZOWP3l78yJrg/4d1C8HFXmpJnhPnSwKigtaYEVMIbs5KQLkJd ZxMis/+AT1lN0ZdM0hTuS/qH0PMJDKjh/TI2IhNw8TZ3iFYD9a3K1/XtSDoqpRqNU0ma aDel9D29zr776v/go3rvstYDrx94AW0cs9YF183M7Kxbg3XRVuEEy0fUoSCFpHsS01DZ OSsA== X-Gm-Message-State: AOJu0YzfiNF1P46ofgauJE6OotNRNXNEq9wSd1yHfQV1YhqPUja2qS+F OPNQfXwUZktGUeH2yfPiS20sh6pfbRloUbWdW+oVuPX9hskvyzdsEZRIXwNz8Q== X-Gm-Gg: AZuq6aKw1XbRUzgeF/aCZoCns/gex3rI6oPOZZMDPiSBpiZvEguXneiAvQUNc8pbGgU G8+VVcq6n80l9dX1x+tK+RE0xGxJwaBA8bSoU6rTapkKMpBK0J1PS+8zB8ydk2OcINtDN14BF9g 2Pd00hmXDDu/RySAxsadJ/12r1Qnvcx7a43KWZ2Wg4O/BleFKdQQes67e3eVufxqluornuo/vr5 Cemn/AL0T9eLZBTV9viP34MnWYxeDVO6L9Srph0NS8R4Ty6aeUDFHMJdU+UY4vnZrBrJHqRKG2/ 8rtiZSQx3gvF8aEmZ3nkAf7CbLWz7npoHthQy4QGWncnYqS2SD4GkEb6xQMjWCoPAlBvSO87DJT ljC7Kv+jwDQY+Rz2iqREYylIoD6dhhy1yi9A4zOatsyvxpekt6N562lJbjEWx6nOjgFgLukSaN3 vrbn0NV3t9fyQqyoXRU0y9sOUrXQ96cUHKmVjTm0nrIGMXfddt9LG1aPxAMA7rwqWAtr8F/Lrkx EOcpaFafX+CTfdfDQnxq9M1ft3ymACZWZ4/RnU9cQ3n2dTZKX7a X-Received: by 2002:a05:6a00:4f96:b0:81e:f623:b9fe with SMTP id d2e1a72fcca58-82487984757mr1770206b3a.4.1770713756923; Tue, 10 Feb 2026 00:55:56 -0800 (PST) Received: from AM0P194MB0690.EURP194.PROD.OUTLOOK.COM ([2603:1026:c03:3026::5]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82441677569sm12515336b3a.4.2026.02.10.00.55.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Feb 2026 00:55:56 -0800 (PST) To: "ffmpeg-devel@ffmpeg.org" Thread-Topic: [PATCH] avcodec/dstdec: fix arithmetic coder read past end of stream Thread-Index: AQHcmmr8N5kTK8WJ0E2tNO+56rTHcg== X-MS-Exchange-MessageSentRepresentingType: 1 Date: Tue, 10 Feb 2026 08:55:21 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-Exchange-Organization-SCL: -1 X-MS-TNEF-Correlator: X-MS-Exchange-Organization-RecordReviewCfmType: 0 msip_labels: MIME-Version: 1.0 X-MailFrom: SRS0=6m48=AO=gmail.com=sander.wichers@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation Message-ID-Hash: CJC7P7BW7QLQFY2CDT5635NQJ7NFI7LU X-Message-ID-Hash: CJC7P7BW7QLQFY2CDT5635NQJ7NFI7LU X-Mailman-Approved-At: Wed, 11 Feb 2026 14:59:07 +0000 X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avcodec/dstdec: fix arithmetic coder read past end of stream List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Alexander Wichers via ffmpeg-devel Cc: Alexander Wichers Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: The ac_get() renormalization reads n bits from the bitstream to refill the arithmetic coder state, but does not check whether enough bits remain. When decoding near the end of the arithmetic coded data section, this causes reads past the AC data boundary into trailing frame data, producing corrupted output in the last bytes of the decoded DSD frame. Add a bounds check using get_bits_left() before reading. When fewer than n bits remain, shift in zeros for the missing bits, matching the behavior of the ISO/IEC 14496-3 reference implementation. Signed-off-by: Alexander Wichers --- libavcodec/dstdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index cfb34b7b3c..e37d830ae4 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -205,8 +205,15 @@ static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, in if (ac->a < 2048) { int n = 11 - av_log2(ac->a); + int left = get_bits_left(gb); ac->a <<= n; - ac->c = (ac->c << n) | get_bits(gb, n); + if (left >= n) { + ac->c = (ac->c << n) | get_bits(gb, n); + } else { + ac->c <<= n; + if (left > 0) + ac->c |= get_bits(gb, left) << (n - left); + } } } -- 2.34.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org