From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 26EBB4C148 for ; Fri, 7 Nov 2025 21:14:26 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'EPyL1jrn7kHasywHFg5nPbqZqpLimTS4XUboQRmk3NM=', expected b'kJPswNvYg29uoLxRBztK/S3ybzUUPGiIufwlCcRF5Mg=')) header.d=niedermayer.cc header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1762550054; h=date : to : message-id : references : mime-version : in-reply-to : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : from; bh=GLHYxORVXLb/VXITibR5BUv29X1gdtO77P1g8hYi+o0=; b=TA7wGjst8adClxYfZNrrhrbJetC6eL3bP0JU0Jz7lQsqp1TJETc8g8WNkmZTEr+BqJVCT 4E7NftXwqHnyt0K0+XIhAO+0DolHpUO0XMfqDfno8nuzkZ3tyL12HTLHYA2d9vmPubwkH5n RbKas3RAcSBqV71ad6c1ZHW/kPK0N2eR1zYDVMp5DT0lxM1nZoocuzLknr5Evsj7F9pbIgI 9NQrNk8cf3j3ZXtvCyzxTBWi/1VS6Cep6hZ1nr90puZFfwARB0NWH4v3PpWgJkCPMSU2rES feDgIaCEWyxRKB385KHDiLO7rTTsu93DAq3HPKMw5MUjGCsY3HR+jv3p+MzA== Received: from [172.19.0.2] (unknown [172.19.0.2]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id EAFCF68FB63; Fri, 7 Nov 2025 23:14:14 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1762550037; b=BpcmgmX/sEsvACb6kyyuQs33GeJ4vkX4AqlkL8a/bGk4jvbYFVZu/Y5o0U077SElx8uEP kM7oFgtGAi99GLm2vG6A3Xe2aypkRNbfQHI2M8ABb0qyTfWwxC/timcpPZ75AMi8TkhvSyG E0zmMyUDBiWG0dZ4gYuIrk31ox2ytfxSH+XYukpurD1JGsHqnEekaOKudYVG4BmYe28KLvC SKcVn3eiqEMKDaL2GO7e7WMya01LwFUhmPwUIXREBa+ge5dfVcE3LnXjKiESzXRjZKljuuh Z4VE7SyFBeXNNWQ2V0lM9kjV1Izg3tfyrGCbp34HUhATrZuQTulzoKiyiA/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1762550037; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=EPyL1jrn7kHasywHFg5nPbqZqpLimTS4XUboQRmk3NM=; b=kt/0UsdAJ8VRYScv+huaa1P0aGsG8lOVF3iqDo1RuZqK61lR6oRkUhUFOMXnBwU0qJgLg vTWWowvBhkYTtTR5gb6NJ9z9LoEMJCoMk/jMXShqPVrwiVTqL+WTb5676QdJ0We729WtidR 9zgrc938IuzcyEdJh1tot0S15XyYr3azHx8B9pv8nTeScwD+E5j0DWil/pslvbfskgIdasP 1FiYp3Y/ZkprdT0arOF13fMDk5TT8St4aFEd2PkZa4JPbWr7WHlMOPjT6haEoGKNhbEwsen KhuMiX0Vmu+yBZAONSsN6lOCLsyGtPrGbFHO7c/LZJW2n1iWwlJolG3+zStg== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=niedermayer.cc; arc=none; dmarc=none Authentication-Results: ffmpeg.org; dkim=pass header.d=niedermayer.cc; arc=none (Message is not ARC signed); dmarc=none Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id C704968F86E for ; Fri, 7 Nov 2025 23:13:40 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id E91434450B for ; Fri, 7 Nov 2025 21:13:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1762550020; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kJPswNvYg29uoLxRBztK/S3ybzUUPGiIufwlCcRF5Mg=; b=LxYNyvejpWAEVDnJjHdWtXCDpO22ISkxNBv4e95cUobzEOha/PHW9RSh2nwmgH5teWrSGj ZmfnNFTUeUt5M0UsrX71CP9lKji1Ev8heeN5ox4S3HUqlWWHZnwTSnf0OzDHnhOuHRe5WA P5q5+7CKWK48qRxbIv5lD3SCFBAbAgRtPYNsOm4RQcaMVWha62nivyUmR7MdtPnFkvepsZ ykrEC9JsOz/BYyNmDvE12Plv+5emxZ90+DxCpQ0EKmOChMAHuBh3+yP1WuhMQB1WXzoLUx bHZW+15IWJaz12sGvtJ2hs7Rj50vKVVYstJ+A5QFyvRhXQvKCBa+5eH0QeXlnw== Date: Fri, 7 Nov 2025 22:13:38 +0100 To: FFmpeg development discussions and patches Message-ID: References: MIME-Version: 1.0 In-Reply-To: X-GND-State: clean X-GND-Score: -85 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdduledtjeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeeigeektdejudffjefhteegjedtgeettefggedthfejgfevhfetgeekjedtvdfhveenucfkphepgedurdeiiedrieeirdehtdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeiiedrhedtpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg X-GND-Sasl: michael@niedermayer.cc Message-ID-Hash: 2ANDDASEFTUOKOLRRVPD7FNHA56PT5M6 X-Message-ID-Hash: 2ANDDASEFTUOKOLRRVPD7FNHA56PT5M6 X-MailFrom: SRS0=vofZ=5P=niedermayer.cc=michael@ffmpeg.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] Re: [PATCH] avcodec/rv60dec: add upper bound check for qp List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Michael Niedermayer via ffmpeg-devel Cc: Michael Niedermayer Content-Type: multipart/mixed; boundary="===============2855821077240376914==" Archived-At: List-Archive: List-Post: --===============2855821077240376914== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GJktdpBlY5RVPbAp" Content-Disposition: inline --GJktdpBlY5RVPbAp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Reaxx On Fri, Nov 07, 2025 at 06:20:38PM +0100, Reaxx via ffmpeg-devel wrote: > This patch fixes an out-of-bounds read in the RV60 decoder where qp can > reach 65, exceeding the rv60_qp_to_idx[64] array bounds. The previous fix > (61cbcaf93f) only covered intra frames. This adds validation at the source > for all frame types. > rv60dec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > 57b6f4d726a8d8959a14807b0fa1fb162ce7bd74 /var0001-avcodec-rv60dec-add-up= per-bound-check-for-qp.patch > From c7a4ef1c2d235e73be849028c145949eac6ae9ef Mon Sep 17 00:00:00 2001 > From: oblivionsage > Date: Fri, 7 Nov 2025 18:08:14 +0100 > Subject: [PATCH] avcodec/rv60dec: add upper bound check for qp >=20 > The quantization parameter (qp) can exceed 63 when the base value > from frame header (0-63) is combined with the offset from slice data > (up to +2), resulting in qp=3D65. This causes out-of-bounds access to > the rv60_qp_to_idx[64] array in decode_cbp8(), decode_cbp16(), and > get_c4x4_set(). >=20 > Previous fix in commit 61cbcaf93f3b2e10124f4c63ce7cd8dad6505fb2 added val= idation only for intra > frames at a later stage. This patch adds validation at the source > in decode_slice() to prevent invalid qp values for all frame types. This is not correct, the current code is not just checking qp in the intra case >=20 > Fixes: Out-of-bounds read reported by OSS-Fuzz (clusterfuzz-testcase-mini= mized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5160167345291264) This is incorrect, this testcase does not trigger the issue fixed in this p= atch There is in fact no testcase for the issue this fixes to the best of my knowledge. i will apply this with a corrected commit message thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I have often repented speaking, but never of holding my tongue. -- Xenocrates --GJktdpBlY5RVPbAp Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaQ5g/wAKCRBhHseHBAsP q8ptAJ9WdyvAVJolXQNaOzIP/3kTMgSKSwCglTXuDP4HEhiVcGCv4zparZYI2vo= =X/+s -----END PGP SIGNATURE----- --GJktdpBlY5RVPbAp-- --===============2855821077240376914== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org --===============2855821077240376914==--