[FFmpeg-cvslog] avcodec/h264_ps: Check delta scale for validity
Michael Niedermayer
git at videolan.org
Tue Feb 21 16:32:13 EET 2017
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Feb 21 03:51:17 2017 +0100| [cbd622be997e8307a409efc3b4bbe8765147def2] | committer: Michael Niedermayer
avcodec/h264_ps: Check delta scale for validity
Fixes: signed integer overflow: 5 + 2147483646 cannot be represented in type 'int'
Fixes: 634/clusterfuzz-testcase-5285420445204480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cbd622be997e8307a409efc3b4bbe8765147def2
---
libavcodec/h264_ps.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 270d06b..8090178 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -257,8 +257,14 @@ static void decode_scaling_list(GetBitContext *gb, uint8_t *factors, int size,
memcpy(factors, fallback_list, size * sizeof(uint8_t));
else
for (i = 0; i < size; i++) {
- if (next)
- next = (last + get_se_golomb(gb)) & 0xff;
+ if (next) {
+ int v = get_se_golomb(gb);
+ if (v < -128 || v > 127) {
+ av_log(NULL, AV_LOG_ERROR, "delta scale %d is invalid\n", v);
+ v = -last;
+ }
+ next = (last + v) & 0xff;
+ }
if (!i && !next) { /* matrix not written, we use the preset one */
memcpy(factors, jvt_list, size * sizeof(uint8_t));
break;
More information about the ffmpeg-cvslog
mailing list