[FFmpeg-devel,1/6] avcodec/sonic: Check e in get_symbol()

Submitted by Michael Niedermayer on Nov. 29, 2019, 11:59 p.m.

Details

Message ID 20191129235921.13096-1-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Nov. 29, 2019, 11:59 p.m.
Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int'
Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176
Fixes: 18753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5663299131932672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/sonic.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Michael Niedermayer Dec. 3, 2019, 3:07 p.m.
On Sat, Nov 30, 2019 at 12:59:20AM +0100, Michael Niedermayer wrote:
> This should increase coverage
> 
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 6 ++++++
>  1 file changed, 6 insertions(+)

will apply this and the other coverage increasing patch so we get increased
coverage


[...]

Patch hide | download patch | download mbox

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 219412eb77..c975774b04 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -144,6 +144,8 @@  static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si
         e= 0;
         while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
         }
 
         a= 1;