[FFmpeg-cvslog] oggparsedaala: reject too large gpshift

Andreas Cadhalpun git at videolan.org
Sat Jan 2 12:19:29 CET 2016 

ffmpeg | branch: master | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Tue Dec 29 18:32:01 2015 +0100| [c112be25f7825d14b1c39ccbf325b85883f852c2] | committer: Andreas Cadhalpun

oggparsedaala: reject too large gpshift

Also use a unsigned constant for the shift calculation, as 1 << 31 is
undefined for int32_t. This is also fixed oggparsetheora.

This fixes ubsan runtime error: shift exponent is too large for
32-bit type 'int'

Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c112be25f7825d14b1c39ccbf325b85883f852c2
---

 libavformat/oggparsedaala.c  |    7 ++++++-
 libavformat/oggparsetheora.c |    2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c
index 24567f9..3651ca1 100644
--- a/libavformat/oggparsedaala.c
+++ b/libavformat/oggparsedaala.c
@@ -123,7 +123,12 @@ static int daala_header(AVFormatContext *s, int idx)
 
         hdr->frame_duration = bytestream2_get_ne32(&gb);
         hdr->gpshift = bytestream2_get_byte(&gb);
-        hdr->gpmask  = (1 << hdr->gpshift) - 1;
+        if (hdr->gpshift >= 32) {
+            av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n",
+                   hdr->gpshift);
+            return AVERROR_INVALIDDATA;
+        }
+        hdr->gpmask  = (1U << hdr->gpshift) - 1;
 
         hdr->format.depth  = 8 + 2*(bytestream2_get_byte(&gb)-1);
 
diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c
index 6e6a362..5f057c3 100644
--- a/libavformat/oggparsetheora.c
+++ b/libavformat/oggparsetheora.c
@@ -108,7 +108,7 @@ static int theora_header(AVFormatContext *s, int idx)
             skip_bits(&gb, 2);
 
         thp->gpshift = get_bits(&gb, 5);
-        thp->gpmask  = (1 << thp->gpshift) - 1;
+        thp->gpmask  = (1U << thp->gpshift) - 1;
 
         st->codec->codec_type = AVMEDIA_TYPE_VIDEO;
         st->codec->codec_id   = AV_CODEC_ID_THEORA;

More information about the ffmpeg-cvslog mailing list