[FFmpeg-devel] [PATCH 4/4] avcodec/h264_slice: Fix overflow in recovery_frame computation
Michael Niedermayer
michael at niedermayer.cc
Sun Jun 10 18:06:57 EEST 2018
On Fri, Jun 08, 2018 at 11:34:02PM -0300, James Almer wrote:
> On 6/8/2018 11:23 PM, James Almer wrote:
> > On 6/8/2018 8:12 PM, James Almer wrote:
> >> On 6/8/2018 7:11 PM, Michael Niedermayer wrote:
> >>> Fixes: signed integer overflow: 15 + 2147483646 cannot be represented in type 'int'
> >>> Fixes: 8381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6225533137321984
> >>>
> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> >>> ---
> >>> libavcodec/h264_sei.c | 12 +++++++++---
> >>> 1 file changed, 9 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
> >>> index 9defcb80b9..2f16d95f56 100644
> >>> --- a/libavcodec/h264_sei.c
> >>> +++ b/libavcodec/h264_sei.c
> >>> @@ -261,10 +261,16 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext *
> >>> return 0;
> >>> }
> >>>
> >>> -static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb)
> >>> +static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb, void *logctx)
> >>> {
> >>> - h->recovery_frame_cnt = get_ue_golomb_long(gb);
> >>> + unsigned recovery_frame_cnt = get_ue_golomb_long(gb);
> >>>
> >>> + if (recovery_frame_cnt > (1<<16)) {
> >>
> >> Maybe move MAX_LOG2_MAX_FRAME_NUM out of h264_ps.c and into h264_ps.h,
> >> then use it here?
> >
> > And it should be "(1 << MAX_LOG2_MAX_FRAME_NUM) - 1", for that matter.
>
> > Or alternatively use sps->log2_max_frame_num from the active sps instead.
>
> Or maybe not. Guess this is already handled by h264_slice.c, so probably
> just use the aforementioned constant.
will apply with these changes after basic testing
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 2
"100% positive feedback" - "All either got their money back or didnt complain"
"Best seller ever, very honest" - "Seller refunded buyer after failed scam"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20180610/3d821467/attachment.sig>
More information about the ffmpeg-devel
mailing list