From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 00BEB4D0A9
	for <ffmpegdev@gitmailbox.com>; Fri,  7 Nov 2025 21:39:12 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'DhTL3MhniRhcMULOAEs5GAc1cwIe8exki4QY8O4EOuo=', expected 
   b'XGMtPp86z3yuNUFnYl4bwm7TBC8G8K0NmxdxQrRdXoM=')) 
   header.d=niedermayer.cc header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1762551539; h=date : to :
 message-id : references : mime-version : in-reply-to : reply-to :
 subject : list-id : list-archive : list-archive : list-help :
 list-owner : list-post : list-subscribe : list-unsubscribe : from : cc
 : content-type : from;
 bh=L6Bhn/4iSaAZYE8bCnyM9l4COjYSMBzWieTwfxSgfEc=;
 b=uVLDoNmj9v3LIyuJUwIdkgAIKo4y8pNcxspl465FPWDV66hJ9WhVLEAknYuL8lY+tVxjK
 EiCP9D2Lob43/4KbjUftEgfHMIoFm1aXcXUYI+EXd76NT9XIvqe/7ZXJYzWzvZ1N+lL1zA+
 LFGKxylecwbRTW3uIpsEK7N/rOvIcyFC3RwW9suV1QUIwBWf5HVP+Vo8CXXQLv4K+Q2gjUl
 TIrv3ucbRaFBrA0jnoxRUuEB2UU97GgkL4scGhVTw/J1O6wXS4TVeQSTkUcFaoV7Ro3h6I9
 xV7WdL9yx6io5f1Iqn4qbTuXnV5keIMOudMqUz0TM8RxrdOtQP10QxyN0zsw==
Received: from [172.19.0.2] (unknown [172.19.0.2])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 38A1168FB82;
	Fri,  7 Nov 2025 23:38:59 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1762551519;
 b=Q1ZtlFsp9NPVCvp6P+4MMLPQtu8wcCgBADWbdjhCdFlIw1oWaP4u0yRPoQu8RIMYtwqG1
 RoI9lHxFZ4RxtAh2l4uoQWm0g0Ru/GMg1iJzqbQMakwk7Gnq1JyiwXZqQ5s9JZ3WJL62lea
 xUsQ+AZLxVIc5QMz6EAPra/OPtRgdjXwz7u19Gul4O3ug2O9AmhMTUyUZfwrnEfvcKonG5w
 WV6q+j7oPB6R+fz+R8NzmvF7qh9aw5x66LQJU8DU8I06bfl4WmmfL2iU1wrgZMLi0aJewEO
 K9WYIZM0vxWiZKfuHUidfnKP1VSMVhpHiDIRJSKjWCGUNMck8LHlhiHs6iJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1762551519; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=DhTL3MhniRhcMULOAEs5GAc1cwIe8exki4QY8O4EOuo=;
 b=THJYUy9sEQSNDaA6rLxfiXK8DFsAb2EKWl8gpDAHKjOFO0x2Wy5FIHsPYxh1ZWRDz0pM8
 YVvLUU9OBqXnwBKj+cR5Udp2udIm5L14qprajIURQAaXG4VrPjgBI0VuWhMp6U5mw4VvX8P
 Jh/n11wvtfL1FcniZGeBA9wCSQY0tdEMLvmgAfdMsUOJSvQT5GkbS5PdY+61PhvF+veGgKk
 2Pj5vQW0nEHAhHqtjUisfUqyv1npx6qCW2GtwFHZc8hnacA49C12EimgOnrddZwtheZsuuL
 Z61kfTejr7XeZoS9K2lQJC0QXTPaqomrzMNpDBKwuTVquUlRrR4JeoOmFPhA==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=niedermayer.cc;
 arc=none;
 dmarc=none
Authentication-Results: ffmpeg.org; dkim=pass header.d=niedermayer.cc;
 arc=none (Message is not ARC signed); dmarc=none
Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net
 [217.70.183.199])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 4B4EE68CFAE
	for <ffmpeg-devel@ffmpeg.org>; Fri,  7 Nov 2025 23:38:26 +0200 (EET)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 901234451E
	for <ffmpeg-devel@ffmpeg.org>; Fri,  7 Nov 2025 21:38:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
	s=gm1; t=1762551505;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=XGMtPp86z3yuNUFnYl4bwm7TBC8G8K0NmxdxQrRdXoM=;
	b=M7nL3QUv7jj97jch/Mio1LVKwvWPaq1Q8j08Bp18Wr0+eW60nJe17mAu/CEafRTy87KkNY
	/xxPmB5QHOm8pZgth4lA2ezKmfGMnBlU7ZSdiqbyhYVoPSEpJipRt2C7mKKLxMfTGbp1Oo
	1kO/YbceBRzPTb5ARffDnmc3LyotQIKNWPOqMJSGGQc6XNZycNT668BYFVotBeujxqC1Lc
	gLpkAEwoWEkoyPqODvhe+sA8PVFTFVG3rKXiI5Q0ZlakPcORgpZqerv5XhJfp2hx/cJaU4
	x7Y73DWVUDpiCNQbfkmYaE127URSkp1Mb9rSS9ZKNhg+y+UWeDMcLLu7tsV+pA==
Date: Fri, 7 Nov 2025 22:38:24 +0100
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <aQ5m0G0SluKQqQwJ@neo>
References: 
 <CAJ9qJsucu9XiGkPmqDz6Os6FKBz7Yg93RAVu9pgVpYRrVbpVNw@mail.gmail.com>
 <aQ5hAjwpIJh8Kw-M@neo>
 <CAJ9qJsvZU2nbZeJJ2Ty-RJiGjJ+Bd4TzFS5YkD_xroe3mLpoXw@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: 
 <CAJ9qJsvZU2nbZeJJ2Ty-RJiGjJ+Bd4TzFS5YkD_xroe3mLpoXw@mail.gmail.com>
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdduledtjeehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeeigeektdejudffjefhteegjedtgeettefggedthfejgfevhfetgeekjedtvdfhveenucfkphepgedurdeiiedrieeirdehtdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeiiedrhedtpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg
X-GND-Sasl: michael@niedermayer.cc
Message-ID-Hash: 36M5FCHY7SN6VCFOA4IF3DEZH4BYUA3L
X-Message-ID-Hash: 36M5FCHY7SN6VCFOA4IF3DEZH4BYUA3L
X-MailFrom: SRS0=vofZ=5P=niedermayer.cc=michael@ffmpeg.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] Re: [PATCH] avcodec/rv60dec: add upper bound check for qp
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/36M5FCHY7SN6VCFOA4IF3DEZH4BYUA3L/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/aQ5m0G0SluKQqQwJ@neo/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: Michael Niedermayer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: Michael Niedermayer <michael@niedermayer.cc>
Content-Type: multipart/mixed; boundary="===============5300012119341120965=="
Archived-At: <https://master.gitmailbox.com/ffmpegdev/aQ5m0G0SluKQqQwJ@neo/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============5300012119341120965==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="XubwvI7DEKtvwCZu"
Content-Disposition: inline


--XubwvI7DEKtvwCZu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi

On Fri, Nov 07, 2025 at 10:19:27PM +0100, Reaxx via ffmpeg-devel wrote:
> Thanks for reviewing and applying the patch. Apologies for the incorrect
> commit message , I appreciate you correcting it. Thanks again

actually, can you check if my commit message is correct before i apply it ?

commit 3adc44bce403bf0841d7c1a933f2635037a762f8 (HEAD -> master)
Author: oblivionsage <cookieandcream560@gmail.com>
Date:   Fri Nov 7 18:08:14 2025 +0100

    avcodec/rv60dec: add upper bound check for qp

    The quantization parameter (qp) can exceed 63 when the base value
    from frame header (0-63) is combined with the offset from slice data
    (up to +2), resulting in qp=3D65. This causes out-of-bounds access to
    the rv60_qp_to_idx[64] array in decode_cbp8(), decode_cbp16(), and
    get_c4x4_set().

    Fixes: Out-of-bounds read
    Signed-off-by: oblivionsage <cookieandcream560@gmail.com>

    No testsample is available

    This is related to 61cbcaf93f3b2e10124f4c63ce7cd8dad6505fb2 and cluster=
fuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5160167345291264
    which fixed rv60_qp_to_idx[qp + 32] out of array access
    These 2 checks are not redundant and neither covers the cases of the ot=
her

    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 33728e33a06..b7b4f46512e 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2265,7 +2265,7 @@ static int decode_slice(AVCodecContext *avctx, void *=
tdata, int cu_y, int thread
             ff_thread_progress_await(&s->progress[cu_y - 1], cu_x + 2);

         qp =3D s->qp + read_qp_offset(&gb, s->qp_off_type);
-        if (qp < 0) {
+        if (qp < 0 || qp >=3D 64) {
             ret =3D AVERROR_INVALIDDATA;
             break;


[...]

--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact

--XubwvI7DEKtvwCZu
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaQ5mzQAKCRBhHseHBAsP
q7ipAKCNydb9DNnviZebYyNekMBE4tDnDwCfQiqqzWSQHcIAgxzThk9xzezDmik=
=XyYJ
-----END PGP SIGNATURE-----

--XubwvI7DEKtvwCZu--

--===============5300012119341120965==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

--===============5300012119341120965==--