[FFmpeg-cvslog] avcodec/sonic: Check e in get_symbol()

Tue Dec 31 20:05:00 EET 2019

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Oct 21 23:22:05 2019 +0200| [aea67556116330d3151e4cd3ef1e266b5d90f388] | committer: Michael Niedermayer

avcodec/sonic: Check e in get_symbol()

Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int'
Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176
Fixes: 18753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5663299131932672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aea67556116330d3151e4cd3ef1e266b5d90f388
---

 libavcodec/sonic.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 219412eb77..c975774b04 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si
         e= 0;
         while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
         }
 
         a= 1;

