[FFmpeg-cvslog] avcodec/hevc_ps: Fix max_dec_buffer check

Michael Niedermayer git at videolan.org
Sun Jun 25 02:13:57 EEST 2017


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Jun 25 00:00:13 2017 +0200| [63e7bfe78e6d764097e845248f6d77b28b2b235c] | committer: Michael Niedermayer

avcodec/hevc_ps: Fix max_dec_buffer check

Fixes: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 2339/clusterfuzz-testcase-minimized-6663164320022528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=63e7bfe78e6d764097e845248f6d77b28b2b235c
---

 libavcodec/hevc_ps.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 0fa50a1508..6cbf40a6e0 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -941,9 +941,9 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
         sps->temporal_layer[i].max_dec_pic_buffering = get_ue_golomb_long(gb) + 1;
         sps->temporal_layer[i].num_reorder_pics      = get_ue_golomb_long(gb);
         sps->temporal_layer[i].max_latency_increase  = get_ue_golomb_long(gb) - 1;
-        if (sps->temporal_layer[i].max_dec_pic_buffering > HEVC_MAX_DPB_SIZE) {
+        if (sps->temporal_layer[i].max_dec_pic_buffering > (unsigned)HEVC_MAX_DPB_SIZE) {
             av_log(avctx, AV_LOG_ERROR, "sps_max_dec_pic_buffering_minus1 out of range: %d\n",
-                   sps->temporal_layer[i].max_dec_pic_buffering - 1);
+                   sps->temporal_layer[i].max_dec_pic_buffering - 1U);
             return AVERROR_INVALIDDATA;
         }
         if (sps->temporal_layer[i].num_reorder_pics > sps->temporal_layer[i].max_dec_pic_buffering - 1) {



More information about the ffmpeg-cvslog mailing list