On 5/11/2019 2:59 PM, Michael Niedermayer wrote: > Fixes: signed integer overflow: -2147483648 + -1 cannot be represented in > type 'int' > Fixes: > 14444/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5675880333967360 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/h264_ps.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c > index 7c92c68b38..e38cf2a533 100644 > --- a/libavcodec/h264_ps.c > +++ b/libavcodec/h264_ps.c > @@ -451,6 +451,15 @@ int ff_h264_decode_seq_parameter_set(GetBitContext *gb, > AVCodecContext *avctx, > sps->delta_pic_order_always_zero_flag = get_bits1(gb); > sps->offset_for_non_ref_pic = get_se_golomb_long(gb); > sps->offset_for_top_to_bottom_field = get_se_golomb_long(gb); > + > + if ( sps->offset_for_non_ref_pic == INT32_MIN > + || sps->offset_for_top_to_bottom_field == INT32_MIN > + ) { > + av_log(avctx, AV_LOG_ERROR, > + "offset_for_non_ref_pic or offset_for_top_to_bottom_field > underflow\n"); > + goto fail; > + }
The valid range is INT32_MIN + 1 to INT32_MAX, so it should be good. But maybe the error message should instead say it's out of range? Fwiw, there's another get_se_golomb_long() call right below these, with the same range constrains. > + > sps->poc_cycle_length = get_ue_golomb(gb); > > if ((unsigned)sps->poc_cycle_length >= > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
