[FFmpeg-devel] [PATCH 2/2] avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()
Ronald S. Bultje
rsbultje at gmail.com
Tue Jan 16 02:33:30 EET 2018
Hi,
On Mon, Jan 15, 2018 at 6:37 PM, Michael Niedermayer <michael at niedermayer.cc
> wrote:
> I suspect that this can be limited tighter, but i failed to find anything
> in the spec that would confirm that.
>
> Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584
> Fixes: runtime error: left shift of 134217730 by 4 places cannot be
> represented in type 'int'
>
> Found-by: continuous fuzzing process https://github.com/google/oss-
> fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/hevc_cabac.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
> index 743168500c..faa36d5459 100644
> --- a/libavcodec/hevc_cabac.c
> +++ b/libavcodec/hevc_cabac.c
> @@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext
> *s, int
> } else {
> int prefix_minus3 = prefix - 3;
>
> - if (prefix == CABAC_MAX_BIN) {
> + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >=
> 31) {
> av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n",
> prefix);
> return 0;
> }
I understand this is unrelated to the patch, but I once again want to point
out how utterly useless this error message is for end users :-(.
Ronald
More information about the ffmpeg-devel
mailing list