MrBesen/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

avcodec/snowdec: Fix integer overflow in header parsing

Browse Source 
Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576
Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-11-05 21:20:05 +01:00
parent 43171a2a73
commit c897a92858
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/snowdec.c
View File

@ -374,7 +374,7 @@ static int decode_header(SnowContext *s){
}
}
s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1);
s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1);
if(s->spatial_decomposition_type > 1U){
av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type);
return AVERROR_INVALIDDATA;
@ -390,10 +390,10 @@ static int decode_header(SnowContext *s){
}
s->qlog += get_symbol(&s->c, s->header_state, 1);
s->mv_scale += get_symbol(&s->c, s->header_state, 1);
s->qbias += get_symbol(&s->c, s->header_state, 1);
s->block_max_depth+= get_symbol(&s->c, s->header_state, 1);
s->qlog += (unsigned)get_symbol(&s->c, s->header_state, 1);
s->mv_scale += (unsigned)get_symbol(&s->c, s->header_state, 1);
s->qbias += (unsigned)get_symbol(&s->c, s->header_state, 1);
s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1);
if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){
av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth);
s->block_max_depth= 0;