On 6/18/2023 8:01 PM, James Almer wrote:
On 6/18/2023 7:27 PM, James Almer wrote:
On 6/18/2023 6:50 PM, Michael Niedermayer wrote:
Fixes: 1.70141e+38 is outside the range of representable values of
type 'int'
Fixes:
59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/evc_parse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
index 44be5c5291..822b236423 100644
--- a/libavcodec/evc_parse.c
+++ b/libavcodec/evc_parse.c
@@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext
*ctx, const uint8_t *bs, int bs_
if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) {
sps->log2_sub_gop_length = get_ue_golomb(&gb);
+ if (sps->log2_sub_gop_length > 5U)
+ return NULL;
if (sps->log2_sub_gop_length == 0)
sps->log2_ref_pic_gap_length = get_ue_golomb(&gb);
}
LGTM, but please let me apply it as part of my evc patchset to prevent
conflicts.
Actually, this is leaving the SPS allocated in the array, which should
be freed if we're going to start erroring out on failed range checks.
I'll amend it before applying it.
Applied.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
