hwcontext_vulkan: fix compilation with older header versions

libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame
Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read from the bitstream was not validated against the remaining bytes in the input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size exceeding the actual packet data, leading to an out-of-bounds read. The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is greater than or equal to `header_len - 2` before initializing `gb_hdr`. Fixes: https://issues.oss-fuzz.com/issues/439711053
2025-12-05 14:30:00 +01:00 · 2025-12-03 21:22:54 +01:00 · 2025-12-03 16:40:02 +00:00 · 2025-12-03 14:17:58 +01:00 · 2025-12-03 13:53:54 +02:00
4 changed files with 8 additions and 6 deletions
--- a/libavcodec/neon/mpegvideo.c
+++ b/libavcodec/neon/mpegvideo.c
@@ -41,6 +41,8 @@ static void inline ff_dct_unquantize_h263_neon(int qscale, int qadd, int nCoeffs
    int16x8_t q14s16, q15s16, qzs16;
    uint16x8_t q1u16, q9u16;

+    qzs16 = vdupq_n_s16(0);
+
    q15s16 = vdupq_n_s16(qscale << 1);
    q14s16 = vdupq_n_s16(qadd);
    q13s16 = vnegq_s16(q14s16);
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -360,7 +360,7 @@ static int decode_frame(AVCodecContext *avctx,
        return AVERROR_INVALIDDATA;

    int header_len = bytestream2_get_be16(&gb);
-    if (header_len < 62)
+    if (header_len < 62 || bytestream2_get_bytes_left(&gb) < header_len - 2)
        return AVERROR_INVALIDDATA;

    GetByteContext gb_hdr;
--- a/libavutil/hwcontext_vulkan.c
+++ b/libavutil/hwcontext_vulkan.c
@@ -2569,7 +2569,7 @@ static int switch_layout_host(AVHWFramesContext *hwfc, FFVkExecPool *ectx,
    VkResult ret;
    VulkanDevicePriv *p = hwfc->device_ctx->hwctx;
    FFVulkanFunctions *vk = &p->vkctx.vkfn;
-    VkHostImageLayoutTransitionInfo layout_change[AV_NUM_DATA_POINTERS];
+    VkHostImageLayoutTransitionInfoEXT layout_change[AV_NUM_DATA_POINTERS];
    int nb_images = ff_vk_count_images(frame);

    VkImageLayout new_layout;
@@ -2585,7 +2585,7 @@ static int switch_layout_host(AVHWFramesContext *hwfc, FFVkExecPool *ectx,
        return AVERROR(ENOTSUP);

    for (i = 0; i < nb_images; i++) {
-        layout_change[i] = (VkHostImageLayoutTransitionInfo) {
+        layout_change[i] = (VkHostImageLayoutTransitionInfoEXT) {
            .sType = VK_STRUCTURE_TYPE_HOST_IMAGE_LAYOUT_TRANSITION_INFO,
            .image = frame->img[i],
            .oldLayout = frame->layout[i],
--- a/tests/checkasm/mpegvideo_unquantize.c
+++ b/tests/checkasm/mpegvideo_unquantize.c
@@ -215,11 +215,11 @@ void checkasm_check_mpegvideo_unquantize(void)
    int q_scale_type = rnd() & 1;

    ff_mpv_unquantize_init(&unquant_dsp_ctx, 1 /* bitexact */, q_scale_type);
-    declare_func(void, MPVContext *s, int16_t *block, int n, int qscale);
+    declare_func(void, const MPVContext *s, int16_t *block, int n, int qscale);

    for (size_t i = 0; i < FF_ARRAY_ELEMS(tests); ++i) {
-        void (*func)(MPVContext *s, int16_t *block, int n, int qscale) =
-            *(void (**)(MPVContext *, int16_t *, int, int))((char*)&unquant_dsp_ctx + tests[i].offset);
+        void (*func)(const MPVContext *s, int16_t *block, int n, int qscale) =
+            *(void (**)(const MPVContext *, int16_t *, int, int))((char*)&unquant_dsp_ctx + tests[i].offset);
        if (check_func(func, "%s", tests[i].name)) {
            MPVContext new, ref;
            DECLARE_ALIGNED(16, int16_t, block_new)[64];
Author	SHA1	Message	Date
Lynne	bce14bb160	hwcontext_vulkan: fix compilation with older header versions	2025-12-03 21:22:54 +01:00
Oliver Chang	041d4f010e	libavcodec/prores_raw: Fix heap-buffer-overflow in decode_frame Fixes a heap-buffer-overflow in `decode_frame` where `header_len` read from the bitstream was not validated against the remaining bytes in the input buffer (`gb`). This allowed `gb_hdr` to be initialized with a size exceeding the actual packet data, leading to an out-of-bounds read. The fix adds a check to ensure `bytestream2_get_bytes_left(&gb)` is greater than or equal to `header_len - 2` before initializing `gb_hdr`. Fixes: https://issues.oss-fuzz.com/issues/439711053	2025-12-03 16:40:02 +00:00
Andreas Rheinhardt	e3e3265034	tests/checkasm/mpegvideo_unquantize: Add missing const Fixes this test under UBSan: runtime error: call to function dct_unquantize_mpeg1_intra_c through pointer to incorrect function type 'void ()(struct MpegEncContext , short *, int, int)' I don't know how I could forget this. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2025-12-03 14:17:58 +01:00
Martin Storsjö	b98179cec6	avcodec/{arm,neon}/mpegvideo: Readd a missed initialization This was accidentally removed in `357fc5243c`. This fixes test failures when built with Clang and MSVC; surprisingly, the checkasm test did seem to pass when built with GCC. Clang and MSVC also warn about the use of the uninitialized variable, while GCC didn't.	2025-12-03 13:53:54 +02:00