From patchwork Fri Sep  8 21:29:11 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 5057
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.2.36.26 with SMTP id f26csp671747jaa;
	Fri, 8 Sep 2017 14:29:45 -0700 (PDT)
X-Google-Smtp-Source: 
 AOwi7QAxyaqWPbsJ8Hzr/vGtS4yAXCXauDgl2/ItobnVBiCI2HZOv0sOYKykrgDiRJ5vM4EFRsRz
X-Received: by 10.28.10.132 with SMTP id 126mr2510530wmk.46.1504906185299;
	Fri, 08 Sep 2017 14:29:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1504906185; cv=none;
	d=google.com; s=arc-20160816;
	b=dO3/3OIst0Q/O1XOJyRdC/x0OGB3NsMpJi73dqYg6Yz4jLj834n8geMNE+UZ6sfRR8
	e//MNPPjCurdSgAI6Hq33cvdGOMcMBBxzlCj4ZuEmOcUty3wpx7XNQ/R2UclhW3RGRPs
	8nCSNdUOVO1Q+5BN6SY0krO/i6gT1N3Ns6cT/P4wRp6cKLWeDZuIj1E9GBW/7dHZdaVE
	G3b6ljCSvcaVgOEBMThFg3YO6n91FkbCjOdluOFJoxiwqK5G9GJ0P9fmBnoVx+O8vs3b
	8n29jg6OQa0e4fN0acPD11y+WXq40PFAwlB+LmwO7dq4lWU5JwULasyoTmAUKchj6yL5
	BfKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=RwIhn3aDePm3T8zuy2CEnjuDwEcmihNrfMcmT4S8ilY=;
	b=nAVV2zV/w0/b3J0ScJwCu78Pi6L4cXm+uMc71UDHQvHP0fnImuMTdL7xE0/awUucGE
	KEi/gURM4XosnhlCMsm6Ls8wjnBh9OSsMgV4bKx/Hl83p3g6ip0fkjBD554aYhJjdAgF
	gAJqyOW4OfnSh86URt4iJGHdap2f28/2UFQlhgAgSLEOjzxYKoApzNO4dElUrCSruAnI
	vFNg1E5xuIYFn7H+Di27c+Advov1g4v9wA+Glv38ebiRdA7AuLk7c1R+O1uLHa7jTerJ
	Ywd6Pvv1F/BqgXAQ1cQc0EqEaEG70X9cM2tknCfKNBG5nDe8Heo1phPQ+GYVbmwNT4mo
	AJvA==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id h67si2113997wmg.49.2017.09.08.14.29.44;
	Fri, 08 Sep 2017 14:29:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D1ABB689D29;
	Sat,  9 Sep 2017 00:29:29 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe04-3.mx.upcmail.net
	(vie01a-dmta-pe04-3.mx.upcmail.net [62.179.121.165])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9A74B689C7E
	for <ffmpeg-devel@ffmpeg.org>; Sat,  9 Sep 2017 00:29:23 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe04.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dqQq7-0000ar-ST
	for ffmpeg-devel@ffmpeg.org; Fri, 08 Sep 2017 23:29:27 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id 79VD1w0220S5wYM019VFk1; Fri, 08 Sep 2017 23:29:15 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri,  8 Sep 2017 23:29:11 +0200
Message-Id: <20170908212913.20478-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.14.1
Subject: [FFmpeg-devel] [PATCH 1/3] avcodec/dirac_vlc: Check res_bits after
	its modified by APPEND_RESIDUE()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: runtime error: left shift of 1073741838 by 1 places cannot be represented in type 'int32_t' (aka 'int')
Fixes: 3279/clusterfuzz-testcase-minimized-4564805744590848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dirac_vlc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c
index bd37f31f46..a475d3b0bc 100644
--- a/libavcodec/dirac_vlc.c
+++ b/libavcodec/dirac_vlc.c
@@ -63,6 +63,8 @@ int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf,
         if (res_bits && l->sign) {
             int32_t coeff = 1;
             APPEND_RESIDUE(res, l->preamble);
+            if (res_bits >= RSIZE_BITS)
+                res_bits = res = 0;
             for (i = 0; i < (res_bits >> 1) - 1; i++) {
                 coeff <<= 1;
                 coeff |= (res >> (RSIZE_BITS - 2*i - 2)) & 1;
@@ -105,6 +107,8 @@ int ff_dirac_golomb_read_16bit(DiracGolombLUT *lut_ctx, const uint8_t *buf,
         if (res_bits && l->sign) {
             int32_t coeff = 1;
             APPEND_RESIDUE(res, l->preamble);
+            if (res_bits >= RSIZE_BITS)
+                res_bits = res = 0;
             for (i = 0; i < (res_bits >> 1) - 1; i++) {
                 coeff <<= 1;
                 coeff |= (res >> (RSIZE_BITS - 2*i - 2)) & 1;