avcodec/vvc/ctu: Check palette_escape_val

Fixes: integer overflow Fixes: 418314174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4871731867353088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2025-06-20 01:37:23 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2025-07-06 19:24:52 +0200
commit: 9d1e4feecebd4fbb6626b0ced5d490e183ef1eaa (patch)
tree: b80ea4e73a16f8a939ea2f6cda6ff76e697c0862
parent: 38ead08815f803690d9e0484cd84eb01344ed0e9 (diff)
download: ffmpeg-9d1e4feecebd4fbb6626b0ced5d490e183ef1eaa.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
index ba4c89b1d1..7fa2b49638 100644
--- a/libavcodec/vvc/ctu.c
+++ b/libavcodec/vvc/ctu.c
@@ -2053,6 +2053,8 @@ static int palette_subblock_data(VVCLocalContext *lc,
                 const int v = PALETTE_INDEX(xc, yc);
                 if (v == esc) {
                     const int coeff = ff_vvc_palette_escape_val(lc);
+                    if (coeff >= (1U << sps->bit_depth))
+                        return AVERROR_INVALIDDATA;
                     const int pixel = av_clip_intp2(RSHIFT(coeff * scale, 6), sps->bit_depth);
                     PALETTE_SET_PIXEL(xc, yc, pixel);
                 } else {
author	Michael Niedermayer <michael@niedermayer.cc>	2025-06-20 01:37:23 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2025-07-06 19:24:52 +0200
commit	9d1e4feecebd4fbb6626b0ced5d490e183ef1eaa (patch)
tree	b80ea4e73a16f8a939ea2f6cda6ff76e697c0862
parent	38ead08815f803690d9e0484cd84eb01344ed0e9 (diff)
download	ffmpeg-9d1e4feecebd4fbb6626b0ced5d490e183ef1eaa.tar.gz