From 360a4025fb2582d52d871ea2129d6b659598bb49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Feb 2026 01:58:01 +0100 Subject: [PATCH] avcodec/rv60dec: check last_size Fixes: signed integer overflow: 1878131215 + 2013265920 cannot be represented in type 'int' Fixes: 472729732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-4893818005815296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/rv60dec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c index 76caa6a361..2a7c5c1147 100644 --- a/libavcodec/rv60dec.c +++ b/libavcodec/rv60dec.c @@ -395,14 +395,14 @@ static int read_frame_header(RV60Context *s, GetBitContext *gb, int * width, int static int read_slice_sizes(RV60Context *s, GetBitContext *gb) { int nbits = get_bits(gb, 5) + 1; - int last_size; + int64_t last_size; for (int i = 0; i < s->cu_height; i++) s->slice[i].sign = get_bits1(gb); s->slice[0].size = last_size = get_bits_long(gb, nbits); - if (last_size < 0) + if (last_size < 0 || last_size > INT32_MAX) return AVERROR_INVALIDDATA; for (int i = 1; i < s->cu_height; i++) { @@ -411,7 +411,7 @@ static int read_slice_sizes(RV60Context *s, GetBitContext *gb) last_size += diff; else last_size -= diff; - if (last_size <= 0) + if (last_size <= 0 || last_size > INT32_MAX) return AVERROR_INVALIDDATA; s->slice[i].size = last_size; }