[FFmpeg-cvslog] avcodec/h264_ps: Check delta scale for validity

Michael Niedermayer git at videolan.org
Tue Feb 21 16:32:13 EET 2017


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Feb 21 03:51:17 2017 +0100| [cbd622be997e8307a409efc3b4bbe8765147def2] | committer: Michael Niedermayer

avcodec/h264_ps: Check delta scale for validity

Fixes: signed integer overflow: 5 + 2147483646 cannot be represented in type 'int'
Fixes: 634/clusterfuzz-testcase-5285420445204480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cbd622be997e8307a409efc3b4bbe8765147def2
---

 libavcodec/h264_ps.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 270d06b..8090178 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -257,8 +257,14 @@ static void decode_scaling_list(GetBitContext *gb, uint8_t *factors, int size,
         memcpy(factors, fallback_list, size * sizeof(uint8_t));
     else
         for (i = 0; i < size; i++) {
-            if (next)
-                next = (last + get_se_golomb(gb)) & 0xff;
+            if (next) {
+                int v = get_se_golomb(gb);
+                if (v < -128 || v > 127) {
+                    av_log(NULL, AV_LOG_ERROR, "delta scale %d is invalid\n", v);
+                    v = -last;
+                }
+                next = (last + v) & 0xff;
+            }
             if (!i && !next) { /* matrix not written, we use the preset one */
                 memcpy(factors, jvt_list, size * sizeof(uint8_t));
                 break;



More information about the ffmpeg-cvslog mailing list