From patchwork Fri Jun 8 22:11:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 9326 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:11c:0:0:0:0:0 with SMTP id c28-v6csp1384792jad; Fri, 8 Jun 2018 15:12:06 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLXLU0sfmL0tbHgFgGB0r0NO/+0ENe/TWTpa7jj5K1d/fEAXst6fdvuNgxzZVayMStNV111 X-Received: by 2002:a1c:20c7:: with SMTP id g190-v6mr2762166wmg.2.1528495926541; Fri, 08 Jun 2018 15:12:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528495926; cv=none; d=google.com; s=arc-20160816; b=Vfi7321j7Y/NwAARW8D+zoScobp1fVc6ZEe+PajyzEqOAEfgRtFqnwvtPPU/mgwv2Y j9e/RuI2ly2iC4IBtTGNsg32P/cWo7K51gr7DdMMHdt+/z27Urjy6+ZqKK6xF5h7hdbt huQtQgRP+evXHcIdBKdAAHAJkjNIhWUvG/1GS+o0W+4Jz6eHG/BQXC8kg4YVMPamsZBp FtOlV9ONORg97BA0D3/gaziJlGHRBJHkFUslI9mWh2tENnyp7w+XXSKawrSKmlo0xEXS F4c9/lzqoXg/Fmcmq5ralyzTWeWHAVzo+WLUUKCAvfDFLfE3rcsyhsmMjlTKs0E3IdVh Pm/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to:arc-authentication-results; bh=KaG4Zq5Tvfvc9aeIpcLjC/L4WtvX5BNrdY12/LEhnl0=; b=OKpIcsGGTd5VDEZId7C9FmqwtSoMVyc+gDJsUb5ZcFkG41S9wi19qEzpMH5T2w6TeS yJx/vvdvibfDoqM/FxfSB6nBTotB+aWvca/2XkQuVEFgUfhiYklbjGag+AEXYozIGZ1x x5lHAeZgFQoWNz7EnrNFlF/aoKvRmDeG3P2VCKzOsA8qeeB7qJWj8E54MJy3rP1Q+siA CFqjd8mQcxd3DXfWHqH3JOFXqUvnvYbxczrrZKnfSpPIFhSnyqz9WV1Y9XX5lNZv5J0F KtLLRQH/Mz4UMmyzDZ9t9HELvJtm2KvJgyqChGVxin7gik9Cy6kDyhoxe4ciIyNnAoNk /bkA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z88-v6si35660717wrc.423.2018.06.08.15.12.05; Fri, 08 Jun 2018 15:12:06 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 29DC0689BBB; Sat, 9 Jun 2018 01:11:16 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe08-3.mx.upcmail.net (vie01a-dmta-pe08-3.mx.upcmail.net [84.116.36.22]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E3CE868054A for ; Sat, 9 Jun 2018 01:11:09 +0300 (EEST) Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe08.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1fRPbx-0007Gi-Hg for ffmpeg-devel@ffmpeg.org; Sat, 09 Jun 2018 00:11:57 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id wNBv1x00m0S5wYM01NBwpj; Sat, 09 Jun 2018 00:11:56 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sat, 9 Jun 2018 00:11:30 +0200 Message-Id: <20180608221130.12644-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180608221130.12644-1-michael@niedermayer.cc> References: <20180608221130.12644-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 4/4] avcodec/h264_slice: Fix overflow in recovery_frame computation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 15 + 2147483646 cannot be represented in type 'int' Fixes: 8381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6225533137321984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/h264_sei.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index 9defcb80b9..2f16d95f56 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -261,10 +261,16 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext * return 0; } -static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb) +static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb, void *logctx) { - h->recovery_frame_cnt = get_ue_golomb_long(gb); + unsigned recovery_frame_cnt = get_ue_golomb_long(gb); + if (recovery_frame_cnt > (1<<16)) { + av_log(logctx, AV_LOG_ERROR, "recovery_frame_cnt %d is out of range\n", recovery_frame_cnt); + return AVERROR_INVALIDDATA; + } + + h->recovery_frame_cnt = recovery_frame_cnt; /* 1b exact_match_flag, * 1b broken_link_flag, * 2b changing_slice_group_idc */ @@ -429,7 +435,7 @@ int ff_h264_sei_decode(H264SEIContext *h, GetBitContext *gb, ret = decode_unregistered_user_data(&h->unregistered, gb, logctx, size); break; case H264_SEI_TYPE_RECOVERY_POINT: - ret = decode_recovery_point(&h->recovery_point, gb); + ret = decode_recovery_point(&h->recovery_point, gb, logctx); break; case H264_SEI_TYPE_BUFFERING_PERIOD: ret = decode_buffering_period(&h->buffering_period, gb, ps, logctx);