Hi Reaxx On Fri, Nov 07, 2025 at 06:20:38PM +0100, Reaxx via ffmpeg-devel wrote: > This patch fixes an out-of-bounds read in the RV60 decoder where qp can > reach 65, exceeding the rv60_qp_to_idx[64] array bounds. The previous fix > (61cbcaf93f) only covered intra frames. This adds validation at the source > for all frame types. > rv60dec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > 57b6f4d726a8d8959a14807b0fa1fb162ce7bd74 /var0001-avcodec-rv60dec-add-upper-bound-check-for-qp.patch > From c7a4ef1c2d235e73be849028c145949eac6ae9ef Mon Sep 17 00:00:00 2001 > From: oblivionsage > Date: Fri, 7 Nov 2025 18:08:14 +0100 > Subject: [PATCH] avcodec/rv60dec: add upper bound check for qp > > The quantization parameter (qp) can exceed 63 when the base value > from frame header (0-63) is combined with the offset from slice data > (up to +2), resulting in qp=65. This causes out-of-bounds access to > the rv60_qp_to_idx[64] array in decode_cbp8(), decode_cbp16(), and > get_c4x4_set(). > > Previous fix in commit 61cbcaf93f3b2e10124f4c63ce7cd8dad6505fb2 added validation only for intra > frames at a later stage. This patch adds validation at the source > in decode_slice() to prevent invalid qp values for all frame types. This is not correct, the current code is not just checking qp in the intra case > > Fixes: Out-of-bounds read reported by OSS-Fuzz (clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5160167345291264) This is incorrect, this testcase does not trigger the issue fixed in this patch There is in fact no testcase for the issue this fixes to the best of my knowledge. i will apply this with a corrected commit message thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I have often repented speaking, but never of holding my tongue. -- Xenocrates