>From 57c3d02f6de69268f181436ddbb24b7bbda0c81f Mon Sep 17 00:00:00 2001
From: OxBat <monsterbat02@gmail.com>
Date: Sat, 3 Jan 2026 19:23:44 +0100
Subject: [PATCH] avcodec & compat: fix OOB access, integer overflows and DLL
 hijacking

---
 compat/android/binder.c | 6 +++++-
 libavcodec/dxv.c        | 2 +-
 libavcodec/eatqi.c      | 6 ++++++
 libavcodec/qdm2.c       | 4 ++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/compat/android/binder.c b/compat/android/binder.c
index a214d977cc..1efcf155a1 100644
--- a/compat/android/binder.c
+++ b/compat/android/binder.c
@@ -41,7 +41,11 @@ static void *dlopen_libbinder_ndk(void)
      * See also:
https://source.android.com/docs/core/architecture/aidl/aidl-backends
      */

-    void *h = dlopen("libbinder_ndk.so", RTLD_NOW | RTLD_LOCAL);
+    /* PATCH SECURITY DLL Hijacking*/
+    void *h = dlopen("/system/lib64/libbinder_ndk.so", RTLD_NOW |
RTLD_LOCAL);
+    if (!h) {
+    h = dlopen("/system/lib/libbinder_ndk.so", RTLD_NOW | RTLD_LOCAL);
+    }
     if (h != NULL)
         return h;

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 07eee253e7..daa233f969 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -73,7 +73,7 @@ typedef struct DXVContext {
             break;
   \
         case 2:
    \
             idx = (bytestream2_get_byte(gbc) + 2) * x;
   \
-            if (idx > pos) {
   \
+            if (idx > pos || idx > ctx->tex_size) return
AVERROR_INVALIDDATA; /* PATCH Index Underflow*/                  \
                 av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos);
    \
                 return AVERROR_INVALIDDATA;
    \
             }
    \
diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c
index 421ed51009..43425ef619 100644
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -111,6 +111,12 @@ static inline void tqi_idct_put(AVCodecContext *avctx,
AVFrame *frame,

 static void tqi_calculate_qtable(TqiContext *t, int quant)
 {
+    /* PATCH: Prevent underflow */
+    if (quant > 107) {
+        av_log(t->avctx, AV_LOG_ERROR, "Invalid quantizer value: %d,
clamping to 107\n", quant);
+        quant = 107;
+    }
+
     const int64_t qscale = (215 - 2*quant)*5;
     int i;

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index b2136c6824..f2029479c7 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -978,6 +978,10 @@ static int process_subpacket_9(QDM2Context *q,
QDM2SubPNode *node)
     GetBitContext gb;
     int i, j, k, n, ch, run, level, diff;

+    /* PATCH: Prevent integer overflow */
+    if (node->packet->size > INT_MAX / 8) {
+    return AVERROR_INVALIDDATA;
+    }
     init_get_bits(&gb, node->packet->data, node->packet->size * 8);

     n =
coeff_per_sb_for_avg[q->coeff_per_sb_select][QDM2_SB_USED(q->sub_sampling)
- 1] + 1;
-- 
2.52.0.windows.1