From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id D49A34DD8C for ; Tue, 6 Jan 2026 02:10:57 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'ce9roG5EObBxhy+vOiylKqZAaBcJSM6nUfF4NqkcE18=', expected b's/9v98QVI+YWyipuIcMXddA7hXuKupNIWNYggo6bXfs=')) header.d=gmail.com header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767665391; h=mime-version : date : message-id : to : content-type : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : from; bh=+hSl3KVSTwM0LUByjFIRaRvvFii+s1rsKAeiP1MVB+w=; b=gU4LRcF+yXJjaikVIewxXqLBRm8ML6lqr0IiB0EYqVKVU7xwpFZY+OdnjcvTGsVWjpmgT BJHPFBwlAHcEIti0eFdn2udMpoSRyqDtmUWZbQdvzn8UNKJ278CK8HLO08LxN8r1yqmVeis k/bbUIlDD5HXdMWx4MX6wojgX59lZI3oTQYbKlLAJcX5WDtY05HEcRu9e/TYSET+GjGaOIs r/l6+SEFk5WdageyMXjEh1+bxGsBFjT6v+t39YsfNqAU4Y0p2vQrN2D56X0tdctg96OkKkB PyWV3VWw5R55y0JQoOKrHrF+SnAh7maHwg2JF8Fmji/Jx1ol/IWNEem46HGQ== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 36C2D690560; Tue, 6 Jan 2026 04:09:51 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767665368; b=gSVpkKZg02OOWAStxM+0v5/hjqKQS4HI3wnyZwI3LBVuUt/4CaHimUDup4DRNQkaSZitm ji0NBzG2n60SidR6eB7bo0/ao3EXVOP5KLew131Ztd962GUpatHXY4o9urLIzl4Dc3cEEci VYb9TEEbj6iWbHXtbvPqCd5B18zvSVrYEa1ch4sXpTx6hGUU26N2/ez1DWcUkJnK9H56yjx h4TofUBg5DjsH16+FAY1/L4LMu7oSbXor9DsurxM92tFQxsXYMNcbWtF6rCoULfuXASzHUZ Gk0mIE+403cDpBWX2RMoBAxbwGT+wl73DmVV08LfTyEOnbtYoMy+bwmgA4oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767665368; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=XlKquIK+sNDNRrfL3DrVX5xggcpMpxg6MiaEvIrDxNA=; b=BUA3fW1BioI9XH9pXFlAOwkvravJskiGssDDHbtshhhFp948gj/qW5GFEm5bwBmWdDdjr 0OrJseuJsQOjXa7/Sb3TguLzPVcewelLJpM0FkNWWnzACx9pt++Cq6i7bNTK8OGjQV/Yfl0 YYiUerf9fHXuAcEru3ZsT5ZCGu3I0mjidiEGJlOYix5o6Ipj/GI/B5zpUL47ft5tYh6OJny mOqfAibsHweGPcyYyidAAKDMQcY1tnngYsbwgTSTvxwHwu9nt+fH/IdrH5j7Xizdg7T84WW mT8bdiocNC3UThnESovdVG4jCiDF+zM2Qy/1ztgzlQH3wlfaJqXQTSw7OHSw== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=fail header.d=gmail.com; arc=none; dmarc=fail header.from=gmail.com policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=fail header.d=gmail.com; arc=none (Message is not ARC signed); dmarc=fail (Used From Domain Record) header.from=gmail.com policy.dmarc=quarantine Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 976F268FEE0 for ; Sat, 3 Jan 2026 20:27:55 +0200 (EET) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-78fc520433aso89601227b3.1 for ; Sat, 03 Jan 2026 10:27:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767464874; x=1768069674; darn=ffmpeg.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=s/9v98QVI+YWyipuIcMXddA7hXuKupNIWNYggo6bXfs=; b=aK4MbwdEflFJA0AMMTXitIBP1HEn/RkSkRYCiN0ADWCObcUZlzrPQU1P6J75krVvPf KyQLBSMy2fBGdqiYNQA/CnBnL6E7KKS04tVEYWu4Q2UXuFwFY87stAPjgMCEoBwsFyvF 27EPDhHkbdExj8JINnbiz2v1mlOfTDT4sTIXVGvHA+RKY1+/bOwlg8spjZqNXLmKfNge e95zDqx+T/4zgpPDHXsHqWGACDCPs7BeZSC++qUdkb0bWGaY+RYzrLeQzPxC1VJcIMCV lwm8yENFIdXhQKAzNZyHTWMp/XJQDHhlaffLzA5+U7hujhs3Q0PJpGQo2+Fvp71UN10D 2FvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767464874; x=1768069674; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=s/9v98QVI+YWyipuIcMXddA7hXuKupNIWNYggo6bXfs=; b=t0b/SfE3G01SBnOKXZSO0HbKkPvl/tLTdvj5T0/VwqE0OEUCVirrK+sEgILNMlQ7K/ 5XkYzymh+mAcqVSNiWvmHi7ivoe0g7BhCM/CrcG8OEyFizUnjxiKEOTHQW1HVEks+twM i3dAx0FIaFY8oKnjJ9yuUBhNCLa7LPERZ+/+GW+w4Zm79A8SqImw5VzzRAOwJ25MynLp LTKuEU/j545570EcpGGXECB8/sIa8iUPK5ysThA9XDYBkGPcXKi09i1u/LiiYPCWGnUt hgukNFd02T4ePhIKNdrjCso+izWujXL/pcxqNn/5Rp/vczviGuiS2R8YPOuYPMQHHqgN Okvw== X-Gm-Message-State: AOJu0Yy29hpc0uJqAQWXw8NGc/PlC7879E91OvdNyAfi84/0q7NUgEDU Od18QeE5XFE4Mgv3+8rxbwQAGnmdJJMG8XSH0doBKPs1r10UsNJRYT3B41Y1JVc/tmKsQ09vUiq hqMwzlWaoMqD9/4Vx9ETkgDEKMnDYCDhvTEDL X-Gm-Gg: AY/fxX5Ltl2x3p+u0E2Bj/LZTqBpq28bsEAheHsjCHGUJub5m9e2dQ+Y8z+RDPvT6zV nfXSxVdRLgfpWv7C+knAFfqfJ+PoAqzfjf7u90WvgX+tvboA8naxJiJtViKXpbs/gFXN7F74hC9 iPCO9hrLj1l3HupXebeqzKWP43gqEPhrrFsI4gHFE6POkRZIuM8WTVp1tWl5LULJkyeypV8yzDW lnOflEW1L7/SW7U67uHf1VzJ3GPZlwGC5J84BQ4BYG0WMbE6xQyQMkBkOW+jR/mmUBKRAJ++x8G 7H8x9kJqs8Jhw7EX+/qF+45xdpQ/ X-Google-Smtp-Source: AGHT+IFhEO5eA1kU2zJ91jsWaRoP0dHOoGfNEyZPMhi4FHhoioeotzKQfSAJoNR/iCc2Q6rYShZc1BE+Y6r9TrQyHD4= X-Received: by 2002:a05:690c:f06:b0:78f:b785:94c5 with SMTP id 00721157ae682-78fb78597c6mr401784777b3.5.1767464873583; Sat, 03 Jan 2026 10:27:53 -0800 (PST) MIME-Version: 1.0 Date: Sat, 3 Jan 2026 19:27:42 +0100 X-Gm-Features: AQt7F2rqwTOnQXtrcwK-kmAH81_IvTntq4bZcvys8fIafcKeThg0YKCfbZp2Th0 Message-ID: To: ffmpeg-devel@ffmpeg.org Content-Type: multipart/mixed; boundary="000000000000f1c9f306477ffbe5" X-MailFrom: SRS0=/TDB=7I=gmail.com=monsterbat02@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation Message-ID-Hash: KQUSSV4Q5F25ETOXKGOASZXYF6BAQ43X X-Message-ID-Hash: KQUSSV4Q5F25ETOXKGOASZXYF6BAQ43X X-Mailman-Approved-At: Tue, 06 Jan 2026 02:09:09 +0000 X-Content-Filtered-By: Mailman/MimeDel 3.3.10 X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avcodec/vvc: harden memory accesses in CTU (heap overflow, OOB read) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Baptiste Bd via ffmpeg-devel Cc: Baptiste Bd Archived-At: List-Archive: List-Post: --000000000000f1c9f306477ffbe5 Content-Type: text/plain; charset="UTF-8" >>From 1d4cc49831864d703080e507ea1761dc0547786c Mon Sep 17 00:00:00 2001 From: OxBat Date: Sat, 3 Jan 2026 19:24:01 +0100 Subject: [PATCH] avcodec/vvc: harden memory accesses in CTU (heap overflow, OOB read) --- libavcodec/vvc/ctu.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c index 18cbe0fe0f..bf7cc074be 100644 --- a/libavcodec/vvc/ctu.c +++ b/libavcodec/vvc/ctu.c @@ -52,6 +52,11 @@ static void set_tb_size(const VVCFrameContext *fc, const TransformBlock *tb) for (int y = y_tb; y < end; y++) { const int off = y * fc->ps.pps->min_tu_width + x_tb; +/* PATCH: Check bounds to prevent heap overflow */ + int max_off = fc->ps.pps->min_tu_width * fc->ps.pps->min_tu_height; + if (off + width > max_off) { + return; + } memset(fc->tab.tb_width [is_chroma] + off, tb->tb_width, width); memset(fc->tab.tb_height[is_chroma] + off, tb->tb_height, width); } @@ -1185,6 +1190,8 @@ static void set_cb_pos(const VVCFrameContext *fc, const CodingUnit *cu) fc->tab.cb_pos_x[ch_type][x + i] = cu->x0; fc->tab.cb_pos_y[ch_type][x + i] = cu->y0; } + /* PATCH: Prevent heap overflow */ + if (x + width > fc->ps.pps->min_tu_width * fc->ps.pps->min_tu_height) return; memset(&fc->tab.cb_width[ch_type][x], cu->cb_width, width); memset(&fc->tab.cb_height[ch_type][x], cu->cb_height, width); memset(&fc->tab.cqt_depth[ch_type][x], cu->cqt_depth, width); @@ -1287,10 +1294,15 @@ static void derive_mmvd(const VVCLocalContext *lc, MvField *mvf, const Mv *mmvd_ if (mvf->pred_flag == PF_BI) { const RefPicList *rpl = sc->rpl; const int poc = lc->fc->ps.ph.poc; - const int diff[] = { - poc - rpl[L0].refs[mvf->ref_idx[L0]].poc, - poc - rpl[L1].refs[mvf->ref_idx[L1]].poc - }; +/* PATCH: Validate reference indices */ + if (mvf->ref_idx[L0] >= rpl[L0].nb_refs || + mvf->ref_idx[L1] >= rpl[L1].nb_refs) + return; + + const int diff[] = { + poc - rpl[L0].refs[mvf->ref_idx[L0]].poc, + poc - rpl[L1].refs[mvf->ref_idx[L1]].poc + }; const int sign = FFSIGN(diff[0]) != FFSIGN(diff[1]); if (diff[0] == diff[1]) { @@ -1932,7 +1944,11 @@ static void palette_update_predictor(VVCLocalContext *lc, const bool local_dual_ } } - memcpy(pp->entries, plt->entries, i * sizeof(pp->entries[0])); +/* PATCH: Clamp size to avoid overflow */ +if (i > VVC_MAX_NUM_PALETTE_PREDICTOR_SIZE) + i = VVC_MAX_NUM_PALETTE_PREDICTOR_SIZE; + +memcpy(pp->entries, plt->entries, i * sizeof(pp->entries[0])); pp->size = i; } } -- 2.52.0.windows.1 --000000000000f1c9f306477ffbe5 Content-Type: application/octet-stream; name="0001-avcodec-vvc-harden-memory-accesses-in-CTU-heap-overf.patch" Content-Disposition: attachment; filename="0001-avcodec-vvc-harden-memory-accesses-in-CTU-heap-overf.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mjymx5l40 RnJvbSAxZDRjYzQ5ODMxODY0ZDcwMzA4MGU1MDdlYTE3NjFkYzA1NDc3ODZjIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBPeEJhdCA8bW9uc3RlcmJhdDAyQGdtYWlsLmNvbT4KRGF0ZTog U2F0LCAzIEphbiAyMDI2IDE5OjI0OjAxICswMTAwClN1YmplY3Q6IFtQQVRDSF0gYXZjb2RlYy92 dmM6IGhhcmRlbiBtZW1vcnkgYWNjZXNzZXMgaW4gQ1RVIChoZWFwIG92ZXJmbG93LAogT09CIHJl YWQpCgotLS0KIGxpYmF2Y29kZWMvdnZjL2N0dS5jIHwgMjYgKysrKysrKysrKysrKysrKysrKysr LS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAyMSBpbnNlcnRpb25zKCspLCA1IGRlbGV0aW9ucygtKQoK ZGlmZiAtLWdpdCBhL2xpYmF2Y29kZWMvdnZjL2N0dS5jIGIvbGliYXZjb2RlYy92dmMvY3R1LmMK aW5kZXggMThjYmUwZmUwZi4uYmY3Y2MwNzRiZSAxMDA2NDQKLS0tIGEvbGliYXZjb2RlYy92dmMv Y3R1LmMKKysrIGIvbGliYXZjb2RlYy92dmMvY3R1LmMKQEAgLTUyLDYgKzUyLDExIEBAIHN0YXRp YyB2b2lkIHNldF90Yl9zaXplKGNvbnN0IFZWQ0ZyYW1lQ29udGV4dCAqZmMsIGNvbnN0IFRyYW5z Zm9ybUJsb2NrICp0YikKIAogICAgIGZvciAoaW50IHkgPSB5X3RiOyB5IDwgZW5kOyB5KyspIHsK ICAgICAgICAgY29uc3QgaW50IG9mZiA9IHkgKiBmYy0+cHMucHBzLT5taW5fdHVfd2lkdGggKyB4 X3RiOworLyogUEFUQ0g6IENoZWNrIGJvdW5kcyB0byBwcmV2ZW50IGhlYXAgb3ZlcmZsb3cgKi8K KyAgICAgICAgaW50IG1heF9vZmYgPSBmYy0+cHMucHBzLT5taW5fdHVfd2lkdGggKiBmYy0+cHMu cHBzLT5taW5fdHVfaGVpZ2h0OworICAgICAgICBpZiAob2ZmICsgd2lkdGggPiBtYXhfb2ZmKSB7 CisgICAgICAgICAgICByZXR1cm47CisgICAgICAgIH0KICAgICAgICAgbWVtc2V0KGZjLT50YWIu dGJfd2lkdGggW2lzX2Nocm9tYV0gKyBvZmYsIHRiLT50Yl93aWR0aCwgIHdpZHRoKTsKICAgICAg ICAgbWVtc2V0KGZjLT50YWIudGJfaGVpZ2h0W2lzX2Nocm9tYV0gKyBvZmYsIHRiLT50Yl9oZWln aHQsIHdpZHRoKTsKICAgICB9CkBAIC0xMTg1LDYgKzExOTAsOCBAQCBzdGF0aWMgdm9pZCBzZXRf Y2JfcG9zKGNvbnN0IFZWQ0ZyYW1lQ29udGV4dCAqZmMsIGNvbnN0IENvZGluZ1VuaXQgKmN1KQog ICAgICAgICAgICAgZmMtPnRhYi5jYl9wb3NfeFtjaF90eXBlXVt4ICsgaV0gPSBjdS0+eDA7CiAg ICAgICAgICAgICBmYy0+dGFiLmNiX3Bvc195W2NoX3R5cGVdW3ggKyBpXSA9IGN1LT55MDsKICAg ICAgICAgfQorICAgICAgICAvKiBQQVRDSDogUHJldmVudCBoZWFwIG92ZXJmbG93ICovCisgICAg ICAgIGlmICh4ICsgd2lkdGggPiBmYy0+cHMucHBzLT5taW5fdHVfd2lkdGggKiBmYy0+cHMucHBz LT5taW5fdHVfaGVpZ2h0KSByZXR1cm47CiAgICAgICAgIG1lbXNldCgmZmMtPnRhYi5jYl93aWR0 aFtjaF90eXBlXVt4XSwgY3UtPmNiX3dpZHRoLCB3aWR0aCk7CiAgICAgICAgIG1lbXNldCgmZmMt PnRhYi5jYl9oZWlnaHRbY2hfdHlwZV1beF0sIGN1LT5jYl9oZWlnaHQsIHdpZHRoKTsKICAgICAg ICAgbWVtc2V0KCZmYy0+dGFiLmNxdF9kZXB0aFtjaF90eXBlXVt4XSwgY3UtPmNxdF9kZXB0aCwg d2lkdGgpOwpAQCAtMTI4NywxMCArMTI5NCwxNSBAQCBzdGF0aWMgdm9pZCBkZXJpdmVfbW12ZChj b25zdCBWVkNMb2NhbENvbnRleHQgKmxjLCBNdkZpZWxkICptdmYsIGNvbnN0IE12ICptbXZkXwog ICAgIGlmIChtdmYtPnByZWRfZmxhZyA9PSBQRl9CSSkgewogICAgICAgICBjb25zdCBSZWZQaWNM aXN0ICpycGwgPSBzYy0+cnBsOwogICAgICAgICBjb25zdCBpbnQgcG9jID0gbGMtPmZjLT5wcy5w aC5wb2M7Ci0gICAgICAgIGNvbnN0IGludCBkaWZmW10gPSB7Ci0gICAgICAgICAgICBwb2MgLSBy cGxbTDBdLnJlZnNbbXZmLT5yZWZfaWR4W0wwXV0ucG9jLAotICAgICAgICAgICAgcG9jIC0gcnBs W0wxXS5yZWZzW212Zi0+cmVmX2lkeFtMMV1dLnBvYwotICAgICAgICB9OworLyogUEFUQ0g6IFZh bGlkYXRlIHJlZmVyZW5jZSBpbmRpY2VzICovCisgICAgICAgIGlmIChtdmYtPnJlZl9pZHhbTDBd ID49IHJwbFtMMF0ubmJfcmVmcyB8fAorICAgICAgICAgICAgbXZmLT5yZWZfaWR4W0wxXSA+PSBy cGxbTDFdLm5iX3JlZnMpCisgICAgICAgICAgICByZXR1cm47CisKKyAgICBjb25zdCBpbnQgZGlm ZltdID0geworICAgICAgICBwb2MgLSBycGxbTDBdLnJlZnNbbXZmLT5yZWZfaWR4W0wwXV0ucG9j LAorICAgICAgICBwb2MgLSBycGxbTDFdLnJlZnNbbXZmLT5yZWZfaWR4W0wxXV0ucG9jCisgICAg fTsKICAgICAgICAgY29uc3QgaW50IHNpZ24gPSBGRlNJR04oZGlmZlswXSkgIT0gRkZTSUdOKGRp ZmZbMV0pOwogCiAgICAgICAgIGlmIChkaWZmWzBdID09IGRpZmZbMV0pIHsKQEAgLTE5MzIsNyAr MTk0NCwxMSBAQCBzdGF0aWMgdm9pZCBwYWxldHRlX3VwZGF0ZV9wcmVkaWN0b3IoVlZDTG9jYWxD b250ZXh0ICpsYywgY29uc3QgYm9vbCBsb2NhbF9kdWFsXwogICAgICAgICAgICAgfQogICAgICAg ICB9CiAKLSAgICAgICAgbWVtY3B5KHBwLT5lbnRyaWVzLCBwbHQtPmVudHJpZXMsIGkgKiBzaXpl b2YocHAtPmVudHJpZXNbMF0pKTsKKy8qIFBBVENIOiBDbGFtcCBzaXplIHRvIGF2b2lkIG92ZXJm bG93ICovCitpZiAoaSA+IFZWQ19NQVhfTlVNX1BBTEVUVEVfUFJFRElDVE9SX1NJWkUpCisgICAg aSA9IFZWQ19NQVhfTlVNX1BBTEVUVEVfUFJFRElDVE9SX1NJWkU7CisKK21lbWNweShwcC0+ZW50 cmllcywgcGx0LT5lbnRyaWVzLCBpICogc2l6ZW9mKHBwLT5lbnRyaWVzWzBdKSk7CiAgICAgICAg IHBwLT5zaXplID0gaTsKICAgICB9CiB9Ci0tIAoyLjUyLjAud2luZG93cy4xCgo= --000000000000f1c9f306477ffbe5 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org --000000000000f1c9f306477ffbe5--