From 92242be8d6fb396a15c3053720efa12398ebb642 Mon Sep 17 00:00:00 2001 From: Fyodor Kyslov Date: Thu, 4 Jun 2026 23:11:33 +0000 Subject: [PATCH] [libopenapv] Fix signed overflow in VLC decoding Add bounds checks to prevent signed integer overflow during VLC decoding. 1. In dec_vlc_read_1bit_read, limit the number of leading zeros (k) to < 30 to prevent overflow when calculating symbol and suffix. 2. In dec_vlc_read, limit k to < 31 in the exp-golomb loop to prevent signed overflow in the shift operation (1 << k). 3. Update KPARAM_AC macro in oapv_vlc.h to use oapv_clip3 instead of oapv_min, ensuring the returned parameter is always >= 0. This prevents a crash in media.swcodec when processing malformed bitstreams with excessive zeros. Bug: 495077878 Test: manual verification with stagefright and PoC Flag: EXEMPT BUGFIX Change-Id: Ia44c26d6a012681d94873bb1bcd372008c8b5bda --- src/oapv_vlc.c | 2 ++ src/oapv_vlc.h | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/oapv_vlc.c b/src/oapv_vlc.c index 75a3df7..b72a24f 100644 --- a/src/oapv_vlc.c +++ b/src/oapv_vlc.c @@ -687,6 +687,7 @@ static int dec_vlc_read_1bit_read(oapv_bs_t *bs) } else { k++; + oapv_assert_rv(k < 30, -1); } } } @@ -733,6 +734,7 @@ static int dec_vlc_read(oapv_bs_t *bs, int k) break; } else { + oapv_assert_rv(k < 31, -1); symbol += (1 << k); k++; } diff --git a/src/oapv_vlc.h b/src/oapv_vlc.h index 435515b..c471631 100644 --- a/src/oapv_vlc.h +++ b/src/oapv_vlc.h @@ -36,7 +36,7 @@ #include "oapv_metadata.h" #define KPARAM_DC(level) oapv_min((level)>>1, OAPV_KPARAM_DC_MAX) -#define KPARAM_AC(level) oapv_min((level)>>2, OAPV_KPARAM_AC_MAX) +#define KPARAM_AC(level) oapv_clip3(OAPV_KPARAM_AC_MIN, OAPV_KPARAM_AC_MAX, (level)>>2) #define KPARAM_RUN(run) oapv_min((run)>>2, OAPV_KPARAM_RUN_MAX) void oapve_set_frame_header(oapve_ctx_t * ctx, oapv_fh_t * fh);