avcodec/vvc/ctu: check coeff before multiply

ff_vvc_palette_escape_val() can return AVERROR in which case the coeff*scale will overflow. Fixes: runtime error: signed integer overflow: -1094995529 * 6528 cannot be represented in type 'int' Fixes: 435225406/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-5118570024730624 Found-by: OSS-Fuzz Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
author: Kacper Michajłow <kasper93@gmail.com> 2025-08-06 18:58:10 +0200
committer: Kacper Michajłow <kasper93@gmail.com> 2025-08-06 20:16:03 +0000
commit: 75f30b4d3e2320275b60be1cf3213ce2cbf55ff8 (patch)
tree: d032b20acb7416fd53ccbb932132994461a04b58
parent: df5199c63f497a1d462c3b46eeaf2a091c1155d3 (diff)
download: ffmpeg-75f30b4d3e2320275b60be1cf3213ce2cbf55ff8.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
index d54e6a322b..fd7d07f438 100644
--- a/libavcodec/vvc/ctu.c
+++ b/libavcodec/vvc/ctu.c
@@ -2054,9 +2054,9 @@ static int palette_subblock_data(VVCLocalContext *lc,
                 const int v = PALETTE_INDEX(xc, yc);
                 if (v == esc) {
                     const int coeff = ff_vvc_palette_escape_val(lc, (1 << sps->bit_depth) - 1);
-                    const int pixel = av_clip_intp2(RSHIFT(coeff * scale, 6), sps->bit_depth);
                     if (coeff < 0)
                         return AVERROR_INVALIDDATA;
+                    const int pixel = av_clip_intp2(RSHIFT(coeff * scale, 6), sps->bit_depth);
                     PALETTE_SET_PIXEL(xc, yc, pixel);
                 } else {
                     PALETTE_SET_PIXEL(xc, yc, plt->entries[v]);
author	Kacper Michajłow <kasper93@gmail.com>	2025-08-06 18:58:10 +0200
committer	Kacper Michajłow <kasper93@gmail.com>	2025-08-06 20:16:03 +0000
commit	75f30b4d3e2320275b60be1cf3213ce2cbf55ff8 (patch)
tree	d032b20acb7416fd53ccbb932132994461a04b58
parent	df5199c63f497a1d462c3b46eeaf2a091c1155d3 (diff)
download	ffmpeg-75f30b4d3e2320275b60be1cf3213ce2cbf55ff8.tar.gz