@@ -1854,17 +1854,19 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl,
sl->deblocking_filter ^= 1; // 1<->0
if (sl->deblocking_filter) {
- sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2;
- sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2;
- if (sl->slice_alpha_c0_offset > 12 ||
- sl->slice_alpha_c0_offset < -12 ||
- sl->slice_beta_offset > 12 ||
- sl->slice_beta_offset < -12) {
+ int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb);
+ int slice_beta_offset_div2 = get_se_golomb(&sl->gb);
+ if (slice_alpha_c0_offset_div2 > 6 ||
+ slice_alpha_c0_offset_div2 < -6 ||
+ slice_beta_offset_div2 > 6 ||
+ slice_beta_offset_div2 < -6) {
av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
- sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+ slice_alpha_c0_offset_div2, slice_beta_offset_div2);
return AVERROR_INVALIDDATA;
}
+ sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+ sl->slice_beta_offset = slice_beta_offset_div2 * 2;
}
}
Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be represented in type 'int' Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/h264_slice.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-)