From patchwork Sat Jul 15 23:06:55 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4325
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.1.76 with SMTP id 73csp2889139vsb;
	Sat, 15 Jul 2017 16:07:11 -0700 (PDT)
X-Received: by 10.223.139.218 with SMTP id w26mr7215130wra.206.1500160031131;
	Sat, 15 Jul 2017 16:07:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1500160031; cv=none;
	d=google.com; s=arc-20160816;
	b=xzI0VUKBWomJAjw8M170cThL+4itXKMNVjOIcGwwZy7fZ5TLhkvq5xHAuNZgRkEX05
	Vd4Mkai6v1rcHo2Mviu+5JV9J3bihM0jHF/MijVfFcDZt8qc5l5qK30+d5evkAMAE8yg
	C1cTXklSyZiAzg1odZuE3VKPvomohXm8EKntJcxSt06s+8L9iyTCWE6Y30zEsg0xIbga
	yfAvHmh9pggUZBrFeNjaQqm+bBTgXoqATYpN4t1wFrbvN/LnJwR+W81EMilQTR534qGx
	2wvJN27xv1aAL0wOLfFtjHpYiF6P1txtC+266FBBnmdpC1YPdx/atSzQry9rQxLVK00r
	Lt0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=B5oW9YK7aKYvuYzA8GYeIDcruuEQ3K4C/+hjbORPIhQ=;
	b=hIuc3XSjRRN14S+eamSRBe+XIbfobvId65gLBTxJx9ke4eSaTMbi55lG/jiyTYTkgP
	lOL/PCpqJjR2T8TLTeoi2a/HxQoFTX6b0FcmJfQOaNDVR8XW26rDZDQkIp+4JPl1ASEq
	kxzBMtTYFqixYBIW8VP6cpVDw2UBGv2Cd3Pa/fQGsoWOgHT7jYRTEA3Vj4vsuve3+oPJ
	F+GMuQKxmnmsN6rRg/Qo2ZepyeIgx8WDZFRl7xhq4Kz7ZyyPhvtqTqRFtnsT47VqjG9z
	FdC8sBWoJNUtlfajwbP5GCIYVWgPKZk9elYmDJQqJmfaa7tAG7Ixfex7pczQACTg+Z30
	vnqg==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	f189si6006017wmg.98.2017.07.15.16.07.10;
	Sat, 15 Jul 2017 16:07:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7CE726883D7;
	Sun, 16 Jul 2017 02:07:00 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-1.mx.upcmail.net
	(vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9177E68071F
	for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Jul 2017 02:06:54 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dWW9M-0000GQ-51
	for ffmpeg-devel@ffmpeg.org; Sun, 16 Jul 2017 01:07:00 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id lB6v1v00q0S5wYM01B6wbs; Sun, 16 Jul 2017 01:06:57 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Jul 2017 01:06:55 +0200
Message-Id: <20170715230655.344-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.13.0
Subject: [FFmpeg-devel] [PATCH] avcodec/aacdec_template (fixed point): Check
	gain in decode_cce() to avoid undefined shifts later
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: runtime error: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 2581/clusterfuzz-testcase-minimized-4681474395602944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/aacdec_template.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index c60a6ca096..90cc143781 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -2199,6 +2199,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che)
             cge = coup->coupling_point == AFTER_IMDCT ? 1 : get_bits1(gb);
             gain = cge ? get_vlc2(gb, vlc_scalefactors.table, 7, 3) - 60: 0;
             gain_cache = GET_GAIN(scale, gain);
+#if USE_FIXED
+            if ((abs(gain_cache)-1024) >> 3 > 30)
+                return AVERROR(ERANGE);
+#endif
         }
         if (coup->coupling_point == AFTER_IMDCT) {
             coup->gain[c][0] = gain_cache;
@@ -2216,6 +2220,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che)
                                     t >>= 1;
                                 }
                                 gain_cache = GET_GAIN(scale, t) * s;
+#if USE_FIXED
+                                if ((abs(gain_cache)-1024) >> 3 > 30)
+                                    return AVERROR(ERANGE);
+#endif
                             }
                         }
                         coup->gain[c][idx] = gain_cache;