Change #266515
| Category | ffmpeg |
| Changed by | Zhao Zhili <zhilizhao@tencent.com> |
| Changed at | Thu 07 May 2026 15:01:16 |
| Repository | https://git.ffmpeg.org/ffmpeg.git |
| Project | ffmpeg |
| Branch | master |
| Revision | 3b939ced79655ed084e6bebc493fa8b11e9b9d8b |
Comments
avcodec/hevc: limit missing-ref fill to coded planes generate_missing_ref walked frame->f->data[] until a NULL slot, which on alpha-video frames extended to data[3] and read sps->hshift[3]/vshift[3] out of bounds. The alpha plane is produced by the alpha layer via replace_alpha_plane; the base decoder path never reads or writes it. Bound the fill loop by the SPS coded plane count. This both removes the out-of-bounds shift access and avoids an unnecessary full-frame memset of the alpha plane. Fixes: out of array read Fixes: 500770604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6157374833623040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Changed files
- libavcodec/hevc/refs.c