From patchwork Fri Oct 5 01:31:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 10544 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:ab0:73d2:0:0:0:0:0 with SMTP id m18csp13849uaq; Thu, 4 Oct 2018 18:35:10 -0700 (PDT) X-Google-Smtp-Source: ACcGV61USnC0mgNWHcTr5yagemFyyAXy6aXPaYw8Tmd4bs0c9dkCe2PRJa2oUHxzGj9P/+UST55G X-Received: by 2002:adf:f681:: with SMTP id v1-v6mr6968050wrp.201.1538703310357; Thu, 04 Oct 2018 18:35:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538703310; cv=none; d=google.com; s=arc-20160816; b=mDHlDqaQgerYZVqpXoBog833YCVPKiO8Ezw4iWz/pQiXl5n3TCnNJytNY1ZGD/Xv7B b5Lc4EjQ/3mJ3hCIa9Mu7/1mbg5nUsVvCGgyJXiNwflIMY7058zRkPNpUaj3KU/lUfUV EFJdWHQr44SIGB/ojs9HKwQ3mXUP/zXW8b2BGvZUXpBvCB17hp+ecdaOdvr7xzbifyXg crWR/wxQIK2l/JO9i9crO03069oCa2VT2wJIhOflhdzN4bzNXhhWLgv9jXaPeQvX6mH/ piQ2dSWdHIJNfQRmLHi73uBVFA1WWygMusv4h1oY+YWVV3OqK8y9zM2GcNUFivSmoJSn N2aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :delivered-to; bh=JoCuO4MgloTW2R8oVNrBLqSF+5q58bNFNhUmrSO5Sb8=; b=I98kpn2jP8e99aPgvSOIAjPFXdMuErCmeZQ7QT+bqLbwIsw8CepoGi3HyUWSSFSA4z vR20VFUIpqxRqSepCijar46ohjZyyU/ZNDthyVeeQ3oGc6dQFWLbShk5QJ80X7UuIA5L YJIlMSu1p4oSU9cjGl9941QX8BOFLidUZ7aCDPs11ueCvfsZIAm3+qJrSEVX3eFF/F8Y Uw5/pQwbx2uNXgFEG7+u1ogFbud3Iz5+QukGvMAULZVHIzxiRHlrjCPbKi4BiWeX1e9I 5hktf4zYUY9tFDSZqPBlaLhFGnMR3DghcnRLGe1l7F1uCUk7QFnv86aeH25x0PwRdQnw gUSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id u141-v6si367715wmu.87.2018.10.04.18.35.09; Thu, 04 Oct 2018 18:35:10 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EC6D868A273; Fri, 5 Oct 2018 04:34:46 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe07-3.mx.upcmail.net (vie01a-dmta-pe07-3.mx.upcmail.net [84.116.36.19]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 61972680159 for ; Fri, 5 Oct 2018 04:34:40 +0300 (EEST) Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe07.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1g8F1A-0000Au-4m for ffmpeg-devel@ffmpeg.org; Fri, 05 Oct 2018 03:35:00 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id jdap1y0120S5wYM01dar8n; Fri, 05 Oct 2018 03:34:51 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 5 Oct 2018 03:31:44 +0200 Message-Id: <20181005013144.14465-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.19.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avcodec/h264_cavlc: Check mb_skip_run X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264 Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 5e6a20304a..d82144e3c3 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl) cbp = 0; /* avoid warning. FIXME: find a solution without slowing down the code */ if (sl->slice_type_nos != AV_PICTURE_TYPE_I) { - if (sl->mb_skip_run == -1) - sl->mb_skip_run = get_ue_golomb_long(&sl->gb); + if (sl->mb_skip_run == -1) { + unsigned mb_skip_run = get_ue_golomb_long(&sl->gb); + if (mb_skip_run > h->mb_num) { + av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run); + return AVERROR_INVALIDDATA; + } + sl->mb_skip_run = mb_skip_run; + } if (sl->mb_skip_run--) { if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {