[FFmpeg-devel] [PATCH 2/4] avcodec/hevc_ps: Fix integer overflow with num_tile_rows
Michael Niedermayer
michael at niedermayer.cc
Sun Jun 16 01:07:12 EEST 2019
On Sat, Jun 15, 2019 at 03:07:13PM +0000, Song, Ruiling wrote:
> > -----Original Message-----
> > From: ffmpeg-devel [mailto:ffmpeg-devel-bounces at ffmpeg.org] On Behalf
> > Of Michael Niedermayer
> > Sent: Friday, June 14, 2019 2:33 AM
> > To: FFmpeg development discussions and patches <ffmpeg-
> > devel at ffmpeg.org>
> > Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/hevc_ps: Fix integer overflow
> > with num_tile_rows
> >
> > Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in
> > type 'int'
> > Fixes: 14880/clusterfuzz-testcase-minimized-
> > ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5130977304641536
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-
> > fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/hevc_ps.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
> > index 80df417e4f..0ed6682bb4 100644
> > --- a/libavcodec/hevc_ps.c
> > +++ b/libavcodec/hevc_ps.c
> > @@ -1596,7 +1596,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb,
> > AVCodecContext *avctx,
> > if (pps->num_tile_rows <= 0 ||
> > pps->num_tile_rows >= sps->height) {
> > av_log(avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of
> > range: %d\n",
> > - pps->num_tile_rows - 1);
> > + pps->num_tile_rows - 1U);
> I think the machine code generated here should be the same, right?
> So you just tell fuzzer "I am doing subtraction between unsigned numbers", to make it happy?
its likely the same machine code, yes. A compiler might produce different code
that break in case of the overflow though ...
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190616/dd1dc1c2/attachment.sig>
More information about the ffmpeg-devel
mailing list