[FFmpeg-cvslog] avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter
Michael Niedermayer
git at videolan.org
Sun Nov 29 17:16:29 EET 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Fri Oct 23 00:24:01 2020 +0200| [7cf852b03c3ae6b61f89614371d2cb308d0b7f86] | committer: Michael Niedermayer
avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter
The max depth is 16bps, the max allowed coefficient depth is depth+6
Fixes: signed integer overflow: 1074266112 + 1073725439 cannot be represented in type 'int'
Fixes: 26493/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657763331702784
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7cf852b03c3ae6b61f89614371d2cb308d0b7f86
---
libavcodec/hevc_cabac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 3dc0987dad..3635b16ca9 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
} else {
int prefix_minus3 = prefix - 3;
- if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
+ if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
return 0;
}
More information about the ffmpeg-cvslog
mailing list