[PATCH 1/7] avcodec/mmvideo: fix paltte index
Fixes: 391935573/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-4655048979709952 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 7313507debc..2a0c855992e 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -91,7 +91,7 @@ static void mm_decode_pal(MmContext *s) int start = bytestream2_get_le16(&s->gb); int count = bytestream2_get_le16(&s->gb); for (int i = 0; i < count; i++) - s->palette[start+i] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2); + s->palette[(start+i)&0xFF] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2); } /** -- 2.49.0
The code uses int, unsigned int and uint16_t to store num_entry_point_offsets This limits it to the smallest of the 3. Alternatively uint16_t can be changed and then a larger limit used. A Check will still be needed. Fixes: 391974932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5966648879677440 Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c index a7a91769fec..636df5a4e9e 100644 --- a/libavcodec/hevc/hevcdec.c +++ b/libavcodec/hevc/hevcdec.c @@ -1110,7 +1110,7 @@ static int hls_slice_header(SliceHeader *sh, const HEVCContext *s, GetBitContext if (pps->tiles_enabled_flag || pps->entropy_coding_sync_enabled_flag) { unsigned num_entry_point_offsets = get_ue_golomb_long(gb); // It would be possible to bound this tighter but this here is simpler - if (num_entry_point_offsets > get_bits_left(gb)) { + if (num_entry_point_offsets > get_bits_left(gb) || num_entry_point_offsets > UINT16_MAX) { av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets); return AVERROR_INVALIDDATA; } -- 2.49.0
On Thu, May 08, 2025 at 11:57:33PM +0200, Michael Niedermayer wrote:
The code uses int, unsigned int and uint16_t to store num_entry_point_offsets This limits it to the smallest of the 3. Alternatively uint16_t can be changed and then a larger limit used. A Check will still be needed.
Fixes: 391974932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5966648879677440 Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If one takes all money from those who grow wealth and gives it to those who do not grow wealth, 10 years later, almost the same people who where wealthy will be wealthy again, the same people who where poor will be poor again.
Fixes: out of array access Fixes: 394638693/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4868142996455424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/speexdec.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c index 60daab3b015..94dce5420cc 100644 --- a/libavcodec/speexdec.c +++ b/libavcodec/speexdec.c @@ -169,7 +169,7 @@ typedef struct SpeexSubmode { typedef struct SpeexMode { int modeID; /**< ID of the mode */ - int (*decode)(AVCodecContext *avctx, void *dec, GetBitContext *gb, float *out); + int (*decode)(AVCodecContext *avctx, void *dec, GetBitContext *gb, float *out, int packets_left); int frame_size; /**< Size of frames used for decoding */ int subframe_size; /**< Size of sub-frames used for decoding */ int lpc_size; /**< Order of LPC filter */ @@ -521,8 +521,8 @@ static const SpeexSubmode wb_submode4 = { split_cb_shape_sign_unquant, &split_cb_high, -1.f }; -static int nb_decode(AVCodecContext *, void *, GetBitContext *, float *); -static int sb_decode(AVCodecContext *, void *, GetBitContext *, float *); +static int nb_decode(AVCodecContext *, void *, GetBitContext *, float *, int packets_left); +static int sb_decode(AVCodecContext *, void *, GetBitContext *, float *, int packets_left); static const SpeexMode speex_modes[SPEEX_NB_MODES] = { { @@ -867,7 +867,7 @@ static void lsp_to_lpc(const float *freq, float *ak, int lpcrdr) } static int nb_decode(AVCodecContext *avctx, void *ptr_st, - GetBitContext *gb, float *out) + GetBitContext *gb, float *out, int packets_left) { DecoderState *st = ptr_st; float ol_gain = 0, ol_pitch_coef = 0, best_pitch_gain = 0, pitch_average = 0; @@ -1218,7 +1218,7 @@ static void qmf_synth(const float *x1, const float *x2, const float *a, float *y } static int sb_decode(AVCodecContext *avctx, void *ptr_st, - GetBitContext *gb, float *out) + GetBitContext *gb, float *out, int packets_left) { SpeexContext *s = avctx->priv_data; DecoderState *st = ptr_st; @@ -1234,9 +1234,11 @@ static int sb_decode(AVCodecContext *avctx, void *ptr_st, mode = st->mode; if (st->modeID > 0) { + if (packets_left <= 1) + return AVERROR_INVALIDDATA; low_innov_alias = out + st->frame_size; s->st[st->modeID - 1].innov_save = low_innov_alias; - ret = speex_modes[st->modeID - 1].decode(avctx, &s->st[st->modeID - 1], gb, out); + ret = speex_modes[st->modeID - 1].decode(avctx, &s->st[st->modeID - 1], gb, out, packets_left); if (ret < 0) return ret; } @@ -1559,7 +1561,7 @@ static int speex_decode_frame(AVCodecContext *avctx, AVFrame *frame, dst = (float *)frame->extended_data[0]; for (int i = 0; i < frames_per_packet; i++) { - ret = speex_modes[s->mode].decode(avctx, &s->st[s->mode], &s->gb, dst + i * s->frame_size); + ret = speex_modes[s->mode].decode(avctx, &s->st[s->mode], &s->gb, dst + i * s->frame_size, frames_per_packet - i); if (ret < 0) return ret; if (avctx->ch_layout.nb_channels == 2) -- 2.49.0
On Thu, May 08, 2025 at 11:57:34PM +0200, Michael Niedermayer wrote:
Fixes: out of array access Fixes: 394638693/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4868142996455424
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/speexdec.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-)
will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Some people wanted to paint the bikeshed green, some blue and some pink. People argued and fought, when they finally agreed, only rust was left.
Fixes: division by 0 Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 7142a06e98f..9402be48c98 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -510,6 +510,8 @@ static int iff_read_header(AVFormatContext *s) sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO; else if (sta->codecpar->ch_layout.nb_channels == 2) sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_STEREO; + else if (sta->codecpar->ch_layout.nb_channels == 0) + return AVERROR_INVALIDDATA; break; case ID_ABIT: -- 2.49.0
On Thu, May 08, 2025 at 11:57:35PM +0200, Michael Niedermayer wrote:
Fixes: division by 0 Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/iff.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/libavformat/iff.c b/libavformat/iff.c index 7142a06e98f..9402be48c98 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -510,6 +510,8 @@ static int iff_read_header(AVFormatContext *s) sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO; else if (sta->codecpar->ch_layout.nb_channels == 2) sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_STEREO; + else if (sta->codecpar->ch_layout.nb_channels == 0) + return AVERROR_INVALIDDATA; break;
case ID_ABIT:
please apply -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
On Fri, May 09, 2025 at 07:07:19PM +1000, Peter Ross wrote:
On Thu, May 08, 2025 at 11:57:35PM +0200, Michael Niedermayer wrote:
Fixes: division by 0 Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/iff.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/libavformat/iff.c b/libavformat/iff.c index 7142a06e98f..9402be48c98 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -510,6 +510,8 @@ static int iff_read_header(AVFormatContext *s) sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO; else if (sta->codecpar->ch_layout.nb_channels == 2) sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_STEREO; + else if (sta->codecpar->ch_layout.nb_channels == 0) + return AVERROR_INVALIDDATA; break;
case ID_ABIT:
please apply
will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I am the wisest man alive, for I know one thing, and that is that I know nothing. -- Socrates
Fixes: out of array read Fixes: 397731127/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5577772965101568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/aac/aacdec_usac.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index ef0c115aa09..e03e6e015f0 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -1023,8 +1023,9 @@ static void apply_noise_fill(AACDecContext *ac, SingleChannelElement *sce, } } - if (band_quantized_to_zero) - sce->sfo[g*ics->max_sfb + sfb] += noise_offset; + if (band_quantized_to_zero) { + sce->sfo[g*ics->max_sfb + sfb] = FFMAX(sce->sfo[g*ics->max_sfb + sfb] + noise_offset, -200); + } } coef += g_len << 7; } -- 2.49.0
On Thu, May 08, 2025 at 11:57:36PM +0200, Michael Niedermayer wrote:
Fixes: out of array read Fixes: 397731127/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5577772965101568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/aac/aacdec_usac.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Its not that you shouldnt use gotos but rather that you should write readable code and code with gotos often but not always is less readable
Fixes: out of array read in decode_cu_16x16() Fixes: 398049430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5525836849807360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/rv60dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c index 24981015a94..d704ae512c2 100644 --- a/libavcodec/rv60dec.c +++ b/libavcodec/rv60dec.c @@ -1791,7 +1791,7 @@ static int decode_cu_r(RV60Context * s, AVFrame * frame, ThreadContext * thread, ttype = cu.pu_type == PU_FULL ? TRANSFORM_8X8 : TRANSFORM_4X4; is_intra = cu.cu_type == CU_INTRA; - if (is_intra && qp >= 32) + if (qp >= 32) return AVERROR_INVALIDDATA; cu_pos = ((xpos & 63) >> 3) + ((ypos & 63) >> 3) * 8; -- 2.49.0
On Thu, May 08, 2025 at 11:57:37PM +0200, Michael Niedermayer wrote:
Fixes: out of array read in decode_cu_16x16() Fixes: 398049430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5525836849807360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/rv60dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c index 24981015a94..d704ae512c2 100644 --- a/libavcodec/rv60dec.c +++ b/libavcodec/rv60dec.c @@ -1791,7 +1791,7 @@ static int decode_cu_r(RV60Context * s, AVFrame * frame, ThreadContext * thread, ttype = cu.pu_type == PU_FULL ? TRANSFORM_8X8 : TRANSFORM_4X4;
is_intra = cu.cu_type == CU_INTRA; - if (is_intra && qp >= 32) + if (qp >= 32) return AVERROR_INVALIDDATA; cu_pos = ((xpos & 63) >> 3) + ((ypos & 63) >> 3) * 8;
please apply -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
On Fri, May 09, 2025 at 07:07:51PM +1000, Peter Ross wrote:
On Thu, May 08, 2025 at 11:57:37PM +0200, Michael Niedermayer wrote:
Fixes: out of array read in decode_cu_16x16() Fixes: 398049430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5525836849807360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/rv60dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c index 24981015a94..d704ae512c2 100644 --- a/libavcodec/rv60dec.c +++ b/libavcodec/rv60dec.c @@ -1791,7 +1791,7 @@ static int decode_cu_r(RV60Context * s, AVFrame * frame, ThreadContext * thread, ttype = cu.pu_type == PU_FULL ? TRANSFORM_8X8 : TRANSFORM_4X4;
is_intra = cu.cu_type == CU_INTRA; - if (is_intra && qp >= 32) + if (qp >= 32) return AVERROR_INVALIDDATA; cu_pos = ((xpos & 63) >> 3) + ((ypos & 63) >> 3) * 8;
please apply
will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No great genius has ever existed without some touch of madness. -- Aristotle
Fixes: shift exponent 49 is too large for 32-bit type 'int' Fixes: 398060145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5023082406543360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index 24f4218931d..4b021ea9c1f 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -652,8 +652,8 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps /* Consequence of established layer dependencies */ if (layer1_id_included && - layer1_id_included != ((1 << vps->layer_id_in_nuh[0]) | - (1 << vps->layer_id_in_nuh[1]))) { + layer1_id_included != ((1ULL << vps->layer_id_in_nuh[0]) | + (1ULL << vps->layer_id_in_nuh[1]))) { av_log(avctx, AV_LOG_ERROR, "Dependent layer not included in layer ID?\n"); return AVERROR_PATCHWELCOME; -- 2.49.0
On 5/8/2025 6:57 PM, Michael Niedermayer wrote:
Fixes: shift exponent 49 is too large for 32-bit type 'int' Fixes: 398060145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5023082406543360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index 24f4218931d..4b021ea9c1f 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -652,8 +652,8 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps
/* Consequence of established layer dependencies */ if (layer1_id_included && - layer1_id_included != ((1 << vps->layer_id_in_nuh[0]) | - (1 << vps->layer_id_in_nuh[1]))) { + layer1_id_included != ((1ULL << vps->layer_id_in_nuh[0]) | + (1ULL << vps->layer_id_in_nuh[1]))) {
LGTM.
On Thu, May 08, 2025 at 07:10:38PM -0300, James Almer wrote:
On 5/8/2025 6:57 PM, Michael Niedermayer wrote:
Fixes: shift exponent 49 is too large for 32-bit type 'int' Fixes: 398060145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5023082406543360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index 24f4218931d..4b021ea9c1f 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -652,8 +652,8 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps /* Consequence of established layer dependencies */ if (layer1_id_included && - layer1_id_included != ((1 << vps->layer_id_in_nuh[0]) | - (1 << vps->layer_id_in_nuh[1]))) { + layer1_id_included != ((1ULL << vps->layer_id_in_nuh[0]) | + (1ULL << vps->layer_id_in_nuh[1]))) {
LGTM.
will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB What is kyc? Its a tool that makes you give out your real ID, while criminals give out a forged ID card.
On Thu, May 08, 2025 at 11:57:32PM +0200, Michael Niedermayer wrote:
Fixes: 391935573/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-4655048979709952 Fixes: out of array access
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 7313507debc..2a0c855992e 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -91,7 +91,7 @@ static void mm_decode_pal(MmContext *s) int start = bytestream2_get_le16(&s->gb); int count = bytestream2_get_le16(&s->gb); for (int i = 0; i < count; i++) - s->palette[start+i] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2); + s->palette[(start+i)&0xFF] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2); }
please apply -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
On Fri, May 09, 2025 at 07:06:42PM +1000, Peter Ross wrote:
On Thu, May 08, 2025 at 11:57:32PM +0200, Michael Niedermayer wrote:
Fixes: 391935573/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-4655048979709952 Fixes: out of array access
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 7313507debc..2a0c855992e 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -91,7 +91,7 @@ static void mm_decode_pal(MmContext *s) int start = bytestream2_get_le16(&s->gb); int count = bytestream2_get_le16(&s->gb); for (int i = 0; i < count; i++) - s->palette[start+i] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2); + s->palette[(start+i)&0xFF] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2); }
please apply
will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If you fake or manipulate statistics in a paper in physics you will never get a job again. If you fake or manipulate statistics in a paper in medicin you will get a job for life at the pharma industry.
participants (3)
-
James Almer -
Michael Niedermayer -
Peter Ross