From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 02D774D0A9 for ; Fri, 7 Nov 2025 17:21:35 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'UIqWP8jvQQBh8E2cl/XJq4yYRmFymfTNWzv+zvRIOyQ=', expected b'gBrQUA9C331UWH3ICwYSTiGpKlelegG+oU8hR8068J8=')) header.d=gmail.com header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1762536086; h=mime-version : date : message-id : to : content-type : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : from; bh=oodttiGklOqtu8VVWAPTRTUiORs0pCX6+owCbcxUfno=; b=sj7ovtx0yB6Axcp4weha5OWGUMKQJhe/lGvimQqMaTbKiICEaSvLoWigVUTa48SvjOwvn 0oQSMme7Qpdk3ICJFkoXKjopuZcES/pXxdTEbACOqV85qfcrBP+rDA4fZDtFZqkgBvvUcLz z/4jqoDFg23LhPjOCImdcaFo4bMCWq87jcPZIqhsU+56cTchlxOPOOygnk42UjwgO53Mzn7 aVqNyLxgAXpvZCjO8tkY/i6/AaneeSRFNFsVipRjuA31ZT1dsr4gZtcvNgatD0bMXeX+mo7 0SRp0N/cyDRveOOlBczn+oPSOX+QARXVQ03xYhiImyC3r8Ks0Q/mISd0SC8w== Received: from [172.19.0.2] (unknown [172.19.0.2]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 7F8D568FB8D; Fri, 7 Nov 2025 19:21:26 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1762536065; b=sE52QOKwrgwB+15ncHDGqGcHckR+DRyzNXV26rlVx+ir8QvPscVoUGp6l1skXglGsoxkd DT+9A2i/H9D51wXQhy4B+CHa43TTs4wOrX0U9ekPnK5SG1Tw6xS/6I4CTqTuklm52BkLOeW y3NnP4MRZ4fH/hKyqR+C5Nw1eihldbw4DTeSV8+kfs4bMpQuqHN7ze+j7F5psyor6TLapEQ Kjj0b33GvhZAekMmDEL1mibZddRhtIXR0XPb0qgK4q+4rLaL9rYg6so8aXtBVgDko5TzPSA LDiwFFvGw0ExjNBpNMdhu8ZTd3NsR/3ptBEd4an+barpfDMv9Y38ZECseu6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1762536065; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=UIqWP8jvQQBh8E2cl/XJq4yYRmFymfTNWzv+zvRIOyQ=; b=geOPXBNQJVvF5DgM6F4RbUXbHxKthL9zYa34p3zfPE0XXTBF7TVFBaflkCAgDFat9FCxT DPDrwIXfUh/++zragMqwoO74m+jib0OekI9vWhUErnYzcQQB43tNA4ElGOdY0LHXQIzlujg MLwxkqyvmXq+mntpRDwHyEE+g78HvParoo28N9nrt4RSJGi8EGR95moqqlc2IbFHrzMTXze Cs9fUGm/SJtcJNZN+wtjgvHhE6YKVjU81V+4W5WWozJOW+eSqqr/fqrYbLtTfmbIuwEXkL/ qn+UUUvldCgWCu7MdUomEPk+sMEVAKfEw50EEAKoNAPpJ2nJp+RMSgUcPYEg== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=fail header.d=gmail.com; arc=none; dmarc=fail header.from=gmail.com policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=fail header.d=gmail.com; arc=none (Message is not ARC signed); dmarc=fail (Used From Domain Record) header.from=gmail.com policy.dmarc=quarantine Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com [209.85.167.172]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 523CD68F76D for ; Fri, 7 Nov 2025 19:20:52 +0200 (EET) Received: by mail-oi1-f172.google.com with SMTP id 5614622812f47-450063be247so413866b6e.2 for ; Fri, 07 Nov 2025 09:20:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762536051; x=1763140851; darn=ffmpeg.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=gBrQUA9C331UWH3ICwYSTiGpKlelegG+oU8hR8068J8=; b=J4qf3Bj1Zh5o17aOt94Zin1PY0sTvRHq9tDGgp8GdiEtST9Ut13VRlEY44XVC++5Sj jOFSxTz1B1e/C5Zlo0SAr/EMiTJPRls5qTbFca8KIGoiZha9hDoz5qdpzzk7Rf5hoM9r 3J2L1MSjKuc3O+LcIJtQpq94g5UgCL8U5spX6L8sGersGfueWnkUSEvjqHTSDB/W+p9P sJlZMpgezMGl+p7xp/WFSUFux7GgKCamlc/Xi+fPIS7uXcEpJ3NhAiHQ+Jf6lq0wp/em TgoxKB2qJA1a/5a4NbGQY4T4ajY7MGdlCs0/aVlXS9H/JK+1gUBtHT262L2BF73xkULD ekkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762536051; x=1763140851; h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gBrQUA9C331UWH3ICwYSTiGpKlelegG+oU8hR8068J8=; b=J09TzMTnNVZ9SL+zGTpPazVq5BHsDUKGGuAB983r/1lekth8GgbadcBJzZKsqEqxuV zivMKtWe9quqmA4s1IShSGUoR9Sbip7tkkHs5u+FOczt0TrajuilkYonZjtR42vSJm3y ADtIGU4JsTOK6qMQpH3/rWrhqyV27ojiaBMvYGbAA1mvDQ5MWFWNwhN6Nf5oQWW8OODX xNLHUWIFCDoeiAcyEXTRiEtWzUJJrNi41RwPEPe4uG2bTJDz+4hztYw04hySXNNjZDPJ i01SFaadCfPJLtn543X1CosTyUFXM1PZLhohI8FBS+pnbmeacwKgipgPj5km1fwdpvGU LftQ== X-Gm-Message-State: AOJu0Ywt/1KPzkX7nooIbZO5rMayKPLCQicR0PiGVaTQG1bJ8zt1EX5r Ic7rkyiXj6+ISQKuI/Wz4iaFT+7Rrcyqgz+GuLhYQMA6Amk3Z52d5D2Bt/ZSQzOwXlSyaE4oWw9 esWkboIQtDMBYyZEnkDlRxwM0Zr4KXCDtvjfmOw== X-Gm-Gg: ASbGncvFrHTZgjKbK4aFGsJirIYxGWM1LiiCoP4dpoJXD0R2eUZyl+YsLH7tXWaVih9 ZxWEckWSKFshR9XKA51ULGOTiBUuCft0cvcCLDdHzwWE/X6QUPWY856a9bKXLrZzzlWPEy0QQNr xHmGa1I/NxtCEbJLQtoUYMeXvUYyBYkgiSrGN8qB6VLcK2xHzHnKfMGphY6upBhq/GiUl72OtFt TTWjhnaCtcO2jJ8Q/CqCLq9biRuyEQH9NTfLIsv4muP8Gl+VYL6CcgtH1ZEPBWXynE= X-Google-Smtp-Source: AGHT+IE7ENzWosXfn6a7QxDZEBkfK0NBvYMtS0VkdnmrDwooNYsDwAT5rQfvwh2MWwzGqlIdDaK6yDVzQgfFKOZeL+k= X-Received: by 2002:a05:6808:2205:b0:44f:e512:4c99 with SMTP id 5614622812f47-45015f20db5mr1946769b6e.49.1762536050750; Fri, 07 Nov 2025 09:20:50 -0800 (PST) MIME-Version: 1.0 Date: Fri, 7 Nov 2025 18:20:38 +0100 X-Gm-Features: AWmQ_bn8hwPqfMhoyBQXgSsbiCAyLVj0_keGwKMh18IztLByBeDMz6QgSLd1N04 Message-ID: To: ffmpeg-devel@ffmpeg.org Content-Type: multipart/mixed; boundary="00000000000035969306430467de" Message-ID-Hash: MLQRXX7NLXMDOKHU5AGWCP3NS5WC5VST X-Message-ID-Hash: MLQRXX7NLXMDOKHU5AGWCP3NS5WC5VST X-MailFrom: SRS0=Px9m=5P=gmail.com=cookieandcream560@ffmpeg.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Content-Filtered-By: Mailman/MimeDel 3.3.10 X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avcodec/rv60dec: add upper bound check for qp List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Reaxx via ffmpeg-devel Cc: Michael Niedermayer , Reaxx Archived-At: List-Archive: List-Post: --00000000000035969306430467de Content-Type: text/plain; charset="UTF-8" This patch fixes an out-of-bounds read in the RV60 decoder where qp can reach 65, exceeding the rv60_qp_to_idx[64] array bounds. The previous fix (61cbcaf93f) only covered intra frames. This adds validation at the source for all frame types. --00000000000035969306430467de Content-Type: application/octet-stream; name="0001-avcodec-rv60dec-add-upper-bound-check-for-qp.patch" Content-Disposition: attachment; filename="0001-avcodec-rv60dec-add-upper-bound-check-for-qp.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mhp4g56e0 RnJvbSBjN2E0ZWYxYzJkMjM1ZTczYmU4NDkwMjhjMTQ1OTQ5ZWFjNmFlOWVmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBvYmxpdmlvbnNhZ2UgPGNvb2tpZWFuZGNyZWFtNTYwQGdtYWls LmNvbT4KRGF0ZTogRnJpLCA3IE5vdiAyMDI1IDE4OjA4OjE0ICswMTAwClN1YmplY3Q6IFtQQVRD SF0gYXZjb2RlYy9ydjYwZGVjOiBhZGQgdXBwZXIgYm91bmQgY2hlY2sgZm9yIHFwCgpUaGUgcXVh bnRpemF0aW9uIHBhcmFtZXRlciAocXApIGNhbiBleGNlZWQgNjMgd2hlbiB0aGUgYmFzZSB2YWx1 ZQpmcm9tIGZyYW1lIGhlYWRlciAoMC02MykgaXMgY29tYmluZWQgd2l0aCB0aGUgb2Zmc2V0IGZy b20gc2xpY2UgZGF0YQoodXAgdG8gKzIpLCByZXN1bHRpbmcgaW4gcXA9NjUuIFRoaXMgY2F1c2Vz IG91dC1vZi1ib3VuZHMgYWNjZXNzIHRvCnRoZSBydjYwX3FwX3RvX2lkeFs2NF0gYXJyYXkgaW4g ZGVjb2RlX2NicDgoKSwgZGVjb2RlX2NicDE2KCksIGFuZApnZXRfYzR4NF9zZXQoKS4KClByZXZp b3VzIGZpeCBpbiBjb21taXQgNjFjYmNhZjkzZjNiMmUxMDEyNGY0YzYzY2U3Y2Q4ZGFkNjUwNWZi MiBhZGRlZCB2YWxpZGF0aW9uIG9ubHkgZm9yIGludHJhCmZyYW1lcyBhdCBhIGxhdGVyIHN0YWdl LiBUaGlzIHBhdGNoIGFkZHMgdmFsaWRhdGlvbiBhdCB0aGUgc291cmNlCmluIGRlY29kZV9zbGlj ZSgpIHRvIHByZXZlbnQgaW52YWxpZCBxcCB2YWx1ZXMgZm9yIGFsbCBmcmFtZSB0eXBlcy4KCkZp eGVzOiBPdXQtb2YtYm91bmRzIHJlYWQgcmVwb3J0ZWQgYnkgT1NTLUZ1enogKGNsdXN0ZXJmdXp6 LXRlc3RjYXNlLW1pbmltaXplZC1mZm1wZWdfQVZfQ09ERUNfSURfUlY2MF9mdXp6ZXItNTE2MDE2 NzM0NTI5MTI2NCkKU2lnbmVkLW9mZi1ieTogb2JsaXZpb25zYWdlIDxjb29raWVhbmRjcmVhbTU2 MEBnbWFpbC5jb20+Ci0tLQogbGliYXZjb2RlYy9ydjYwZGVjLmMgfCAyICstCiAxIGZpbGUgY2hh bmdlZCwgMSBpbnNlcnRpb24oKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS9saWJhdmNv ZGVjL3J2NjBkZWMuYyBiL2xpYmF2Y29kZWMvcnY2MGRlYy5jCmluZGV4IDMzNzI4ZTMzYTAuLmI3 YjRmNDY1MTIgMTAwNjQ0Ci0tLSBhL2xpYmF2Y29kZWMvcnY2MGRlYy5jCisrKyBiL2xpYmF2Y29k ZWMvcnY2MGRlYy5jCkBAIC0yMjY1LDcgKzIyNjUsNyBAQCBzdGF0aWMgaW50IGRlY29kZV9zbGlj ZShBVkNvZGVjQ29udGV4dCAqYXZjdHgsIHZvaWQgKnRkYXRhLCBpbnQgY3VfeSwgaW50IHRocmVh ZAogICAgICAgICAgICAgZmZfdGhyZWFkX3Byb2dyZXNzX2F3YWl0KCZzLT5wcm9ncmVzc1tjdV95 IC0gMV0sIGN1X3ggKyAyKTsKIAogICAgICAgICBxcCA9IHMtPnFwICsgcmVhZF9xcF9vZmZzZXQo JmdiLCBzLT5xcF9vZmZfdHlwZSk7Ci0gICAgICAgIGlmIChxcCA8IDApIHsKKyAgICAgICAgaWYg KHFwIDwgMCB8fCBxcCA+PSA2NCkgewogICAgICAgICAgICAgcmV0ID0gQVZFUlJPUl9JTlZBTElE REFUQTsKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICB9Ci0tIAoyLjUwLjEKCg== --00000000000035969306430467de Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org --00000000000035969306430467de--