From eacb47ec20ab5bd6e7df4e2e91c7ef8ca2b8bf96 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 22 Dec 2025 23:03:06 +0100
Subject: [PATCH] avcodec/hevc/sei: Use get_bits64() in
 decode_nal_sei_3d_reference_displays_info()

Fixes: Assertion n>=0 && n<=32 failed at ./libavcodec/get_bits.h:426
Fixes: 468435217/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4644127078940672

Found-by:  continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8f57b04fe56e0145b193efd2f5d2d0d5a80347f4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hevc/sei.c | 4 ++--
 libavcodec/hevc/sei.h | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c
index 5fd4e763b3..e12803f1d3 100644
--- a/libavcodec/hevc/sei.c
+++ b/libavcodec/hevc/sei.c
@@ -195,7 +195,7 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
         else
             length = FFMAX(0, (int)s->exponent_ref_display_width[i] +
                               (int)s->prec_ref_display_width - 31);
-        s->mantissa_ref_display_width[i] = get_bits_long(gb, length);
+        s->mantissa_ref_display_width[i] = get_bits64(gb, length);
         if (s->ref_viewing_distance_flag) {
             s->exponent_ref_viewing_distance[i] = get_bits(gb, 6);
             if (s->exponent_ref_viewing_distance[i] > 62)
@@ -205,7 +205,7 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
             else
                 length = FFMAX(0, (int)s->exponent_ref_viewing_distance[i] +
                                   (int)s->prec_ref_viewing_dist - 31);
-            s->mantissa_ref_viewing_distance[i] = get_bits_long(gb, length);
+            s->mantissa_ref_viewing_distance[i] = get_bits64(gb, length);
         }
         s->additional_shift_present_flag[i] = get_bits1(gb);
         if (s->additional_shift_present_flag[i]) {
diff --git a/libavcodec/hevc/sei.h b/libavcodec/hevc/sei.h
index d6891d60a6..e5cdc39317 100644
--- a/libavcodec/hevc/sei.h
+++ b/libavcodec/hevc/sei.h
@@ -87,9 +87,9 @@ typedef struct HEVCSEITDRDI {
     uint16_t left_view_id[32];
     uint16_t right_view_id[32];
     uint8_t exponent_ref_display_width[32];
-    uint8_t mantissa_ref_display_width[32];
+    uint64_t mantissa_ref_display_width[32];
     uint8_t exponent_ref_viewing_distance[32];
-    uint8_t mantissa_ref_viewing_distance[32];
+    uint64_t mantissa_ref_viewing_distance[32];
     uint8_t additional_shift_present_flag[32];
     int16_t num_sample_shift[32];
     uint8_t three_dimensional_reference_displays_extension_flag;