[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in recovery_frame computation
Michael Niedermayer
git at videolan.org
Sat Jun 16 01:32:34 EEST 2018
ffmpeg | branch: release/4.0 | Michael Niedermayer <michael at niedermayer.cc> | Fri Jun 8 19:07:22 2018 +0200| [e42ab0115e245d226fa592c9bed82fe7f9b0cf22] | committer: Michael Niedermayer
avcodec/h264_slice: Fix overflow in recovery_frame computation
Fixes: signed integer overflow: 15 + 2147483646 cannot be represented in type 'int'
Fixes: 8381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6225533137321984
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 8c20ea8ee0f3f0b27aca0204c6dfaa4ac137e34e)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e42ab0115e245d226fa592c9bed82fe7f9b0cf22
---
libavcodec/h264_sei.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
index 9defcb80b9..6499086210 100644
--- a/libavcodec/h264_sei.c
+++ b/libavcodec/h264_sei.c
@@ -261,10 +261,16 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext *
return 0;
}
-static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb)
+static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb, void *logctx)
{
- h->recovery_frame_cnt = get_ue_golomb_long(gb);
+ unsigned recovery_frame_cnt = get_ue_golomb_long(gb);
+ if (recovery_frame_cnt >= (1<<MAX_LOG2_MAX_FRAME_NUM)) {
+ av_log(logctx, AV_LOG_ERROR, "recovery_frame_cnt %u is out of range\n", recovery_frame_cnt);
+ return AVERROR_INVALIDDATA;
+ }
+
+ h->recovery_frame_cnt = recovery_frame_cnt;
/* 1b exact_match_flag,
* 1b broken_link_flag,
* 2b changing_slice_group_idc */
@@ -429,7 +435,7 @@ int ff_h264_sei_decode(H264SEIContext *h, GetBitContext *gb,
ret = decode_unregistered_user_data(&h->unregistered, gb, logctx, size);
break;
case H264_SEI_TYPE_RECOVERY_POINT:
- ret = decode_recovery_point(&h->recovery_point, gb);
+ ret = decode_recovery_point(&h->recovery_point, gb, logctx);
break;
case H264_SEI_TYPE_BUFFERING_PERIOD:
ret = decode_buffering_period(&h->buffering_period, gb, ps, logctx);
More information about the ffmpeg-cvslog
mailing list