On Sun, Feb 09, 2025 at 03:24:21AM +0100, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 385170375/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-4710055187906560
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/rv60dec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
> index 0c2e03d7370..24981015a94 100644
> --- a/libavcodec/rv60dec.c
> +++ b/libavcodec/rv60dec.c
> @@ -2257,7 +2257,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata, int cu_y, int thread
>      thread.avg_linesize[1] = 32;
>      thread.avg_linesize[2] = 32;
>  
> -    if ((ret = init_get_bits8(&gb, s->slice[cu_y].data, s->slice[cu_y].size)) < 0)
> +    if ((ret = init_get_bits8(&gb, s->slice[cu_y].data, s->slice[cu_y].data_size)) < 0)
>          return ret;
>  
>      for (int cu_x = 0; cu_x < s->cu_width; cu_x++) {

nice find. please apply, thanks.

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)