> -----Original Message----- > From: ffmpeg-devel [mailto:ffmpeg-devel-boun...@ffmpeg.org] On Behalf > Of Michael Niedermayer > Sent: Sunday, June 16, 2019 6:07 AM > To: FFmpeg development discussions and patches <ffmpeg- > de...@ffmpeg.org> > Subject: Re: [FFmpeg-devel] [PATCH 2/4] avcodec/hevc_ps: Fix integer > overflow with num_tile_rows > > On Sat, Jun 15, 2019 at 03:07:13PM +0000, Song, Ruiling wrote: > > > -----Original Message----- > > > From: ffmpeg-devel [mailto:ffmpeg-devel-boun...@ffmpeg.org] On > Behalf > > > Of Michael Niedermayer > > > Sent: Friday, June 14, 2019 2:33 AM > > > To: FFmpeg development discussions and patches <ffmpeg- > > > de...@ffmpeg.org> > > > Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/hevc_ps: Fix integer > overflow > > > with num_tile_rows > > > > > > Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in > > > type 'int' > > > Fixes: 14880/clusterfuzz-testcase-minimized- > > > ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5130977304641536 > > > > > > Found-by: continuous fuzzing process https://github.com/google/oss- > > > fuzz/tree/master/projects/ffmpeg > > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > > --- > > > libavcodec/hevc_ps.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c > > > index 80df417e4f..0ed6682bb4 100644 > > > --- a/libavcodec/hevc_ps.c > > > +++ b/libavcodec/hevc_ps.c > > > @@ -1596,7 +1596,7 @@ int ff_hevc_decode_nal_pps(GetBitContext > *gb, > > > AVCodecContext *avctx, > > > if (pps->num_tile_rows <= 0 || > > > pps->num_tile_rows >= sps->height) { > > > av_log(avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of > > > range: %d\n", > > > - pps->num_tile_rows - 1); > > > + pps->num_tile_rows - 1U); > > I think the machine code generated here should be the same, right? > > So you just tell fuzzer "I am doing subtraction between unsigned numbers", > to make it happy? > > its likely the same machine code, yes. A compiler might produce different > code > that break in case of the overflow though ... Ok, it seems num_tile_columns also need such kind of change.
> > thx > > [...] > -- > Michael GnuPG fingerprint: > 9FF2128B147EF6730BADF133611EC787040B0FAB > > When the tyrant has disposed of foreign enemies by conquest or treaty, and > there is nothing more to fear from them, then he is always stirring up > some war or other, in order that the people may require a leader. -- Plato _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
