diff mbox

[FFmpeg-devel,2/3] avcodec/wavpack: Check bitrate_acc for overflow

Message ID 20170303191222.5097-2-michael@niedermayer.cc
State Accepted
Commit d03d38616278bf209e6c860d8f9f564cbc6c1780
Headers show

Commit Message

Michael Niedermayer March 3, 2017, 7:12 p.m. UTC 
Fixes: undefined behavior in 717/clusterfuzz-testcase-5434924129583104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavpack.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)
diff mbox

Patch

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index ebcdd96508..bf538a9b87 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -99,11 +99,13 @@  static av_always_inline int get_tail(GetBitContext *gb, int k)
     return res;
 }
 
-static void update_error_limit(WavpackFrameContext *ctx)
+static int update_error_limit(WavpackFrameContext *ctx)
 {
     int i, br[2], sl[2];
 
     for (i = 0; i <= ctx->stereo_in; i++) {
+        if (ctx->ch[i].bitrate_acc > UINT_MAX - ctx->ch[i].bitrate_delta)
+            return AVERROR_INVALIDDATA;
         ctx->ch[i].bitrate_acc += ctx->ch[i].bitrate_delta;
         br[i]                   = ctx->ch[i].bitrate_acc >> 16;
         sl[i]                   = LEVEL_DECAY(ctx->ch[i].slow_level);
@@ -131,6 +133,8 @@  static void update_error_limit(WavpackFrameContext *ctx)
             ctx->ch[i].error_limit = wp_exp2(br[i]);
         }
     }
+
+    return 0;
 }
 
 static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
@@ -200,8 +204,10 @@  static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
         ctx->zero = !ctx->one;
     }
 
-    if (ctx->hybrid && !channel)
-        update_error_limit(ctx);
+    if (ctx->hybrid && !channel) {
+        if (update_error_limit(ctx) < 0)
+            goto error;
+    }
 
     if (!t) {
         base = 0;