[FFmpeg-devel,2/2] avcodec/snowdec: Check mv_scale

Message ID	20171013010654.16525-2-michael@niedermayer.cc
State	Accepted
Commit	393d6fc7395611a38792e3c271b2be42ac45e672
Headers	show Delivered-To: ffmpegpatchwork@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Fri, 13 Oct 2017 03:06:54 +0200 Message-Id: <20171013010654.16525-2-michael@niedermayer.cc> In-Reply-To: <20171013010654.16525-1-michael@niedermayer.cc> References: <20171013010654.16525-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/snowdec: Check mv_scale Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

20171013010654.16525-2-michael@niedermayer.cc

State

Accepted

Commit

393d6fc7395611a38792e3c271b2be42ac45e672

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100; 
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 13 Oct 2017 03:06:54 +0200
Message-Id: <20171013010654.16525-2-michael@niedermayer.cc>
In-Reply-To: <20171013010654.16525-1-michael@niedermayer.cc>
References: <20171013010654.16525-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/snowdec: Check mv_scale
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Commit Message

Michael Niedermayer Oct. 13, 2017, 1:06 a.m. UTC

Fixes: runtime error: signed integer overflow: 2 * -1094995530 cannot be represented in type 'int'
Fixes: 3512/clusterfuzz-testcase-minimized-4812747210489856

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/snowdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index b74c468ce3..13668c2105 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -394,9 +394,10 @@  static int decode_header(SnowContext *s){
     s->mv_scale       += get_symbol(&s->c, s->header_state, 1);
     s->qbias          += get_symbol(&s->c, s->header_state, 1);
     s->block_max_depth+= get_symbol(&s->c, s->header_state, 1);
-    if(s->block_max_depth > 1 || s->block_max_depth < 0){
+    if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){
         av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth);
         s->block_max_depth= 0;
+        s->mv_scale = 0;
         return AVERROR_INVALIDDATA;
     }
     if (FFABS(s->qbias) > 127) {

[FFmpeg-devel,2/2] avcodec/snowdec: Check mv_scale

Commit Message

Patch