From patchwork Thu Mar  2 02:02:07 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 2722
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.31.14 with SMTP id f14csp39782vsf;
	Wed, 1 Mar 2017 18:03:01 -0800 (PST)
X-Received: by 10.28.175.138 with SMTP id y132mr6066841wme.86.1488420181160;
	Wed, 01 Mar 2017 18:03:01 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id 64si8818070wrn.92.2017.03.01.18.03.00;
	Wed, 01 Mar 2017 18:03:01 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 861D168829D;
	Thu,  2 Mar 2017 04:02:39 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe02-3.mx.upcmail.net
	(vie01a-dmta-pe02-3.mx.upcmail.net [62.179.121.159])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id AACCF688287
	for <ffmpeg-devel@ffmpeg.org>; Thu,  2 Mar 2017 04:02:33 +0200 (EET)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.87)
	(envelope-from <michael@niedermayer.cc>) id 1cjG4q-0008H1-1r
	for ffmpeg-devel@ffmpeg.org; Thu, 02 Mar 2017 03:02:44 +0100
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id qq291u0110S5wYM01q2Awo; Thu, 02 Mar 2017 03:02:10 +0100
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Thu,  2 Mar 2017 03:02:07 +0100
Message-Id: <20170302020207.23854-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20170302020207.23854-1-michael@niedermayer.cc>
References: <20170302020207.23854-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/mpeg4videodec: Improve the
	overflow checks in mpeg4_decode_sprite_trajectory()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Also clear the state on errors

Fixes integer overflows in 701/clusterfuzz-testcase-6594719951880192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpeg4videodec.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 9f9374d550..568263ecdf 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -375,7 +375,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
             FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c
         ) {
             avpriv_request_sample(s->avctx, "Too large sprite shift or offset");
-            return AVERROR_PATCHWELCOME;
+            goto overflow;
         }
 
         for (i = 0; i < 2; i++) {
@@ -385,17 +385,23 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
             s->sprite_delta[1][i]  *= 1 << shift_y;
             ctx->sprite_shift[i]     = 16;
 
-            if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX ||
-                llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX ||
-                llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) {
+        }
+        for (i = 0; i < 2; i++) {
+            if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
+                llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+                llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX) {
                 avpriv_request_sample(s->avctx, "Overflow on sprite points");
-                return AVERROR_PATCHWELCOME;
+                goto overflow;
             }
         }
         s->real_sprite_warping_points = ctx->num_sprite_warping_points;
     }
 
     return 0;
+overflow:
+    memset(s->sprite_offset, 0, sizeof(s->sprite_offset));
+    memset(s->sprite_delta, 0, sizeof(s->sprite_delta));
+    return AVERROR_PATCHWELCOME;
 }
 
 static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) {