From patchwork Wed Jan 24 03:34:49 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 7408
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.2.156.27 with SMTP id q27csp252491jak;
	Tue, 23 Jan 2018 19:35:18 -0800 (PST)
X-Google-Smtp-Source: 
 AH8x224uItR20AOH28L3xNIEkIZO+PZ5m3inY3XarIdJqv1bf4FyBiD9Froh/23RsUAyVQkhwhef
X-Received: by 10.223.163.153 with SMTP id l25mr4027297wrb.70.1516764918898;
	Tue, 23 Jan 2018 19:35:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516764918; cv=none;
	d=google.com; s=arc-20160816;
	b=ZNN1sY36VzC9Ku425t5fLsZ/ki/eNnJUFUfa1WnKu5kMvkDDrmvBlIPXDzfi4cVGIE
	7krV+Nm6dWAhym0U/dP61hM/6j4flFca5ycIww9A+eFT9x9bttXYiqU2B7R/qgz1JdXT
	hjv7biveJG6cPX4+0WWZwlwEIpqhFAtbqpMJbpzPwTRz5P3qxZmalgbrXFnYXJjd0sv+
	MA0DPL0frorwYzYLWB2xyAojOKtyIJ4Kpxgon22N7b9W4EzXMy3wxpZZErVIAPmaGvan
	C26CPBCeDRnKW0Lsh9nWJyPhTs7Tn9YR/hmzwaxib5UEVxwv6B4/Fgr9huE6aKl6Ea7g
	lvWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=iA9puljpBf0v5j/ituOyDIs6+8jEePmK6P3G3LGvBxg=;
	b=dAqxE5b1AomDjoIgNyJGfou2gRi+R7W4gVJk4G/Bvf4A3E3Qcka+u86X2Kc4N2AxyA
	DvyOaEWcF8qThZWc/PXpRz1MoI2912lupDA8cIm0+4Ve6zhPmITpknm1pFqaGzV1nAU1
	gnVGccIteeon2CNUEvHN6qGk7tY3XdGoFAmBKB6cxrGTgcnLV0sLL8Y0HlslconQCFwy
	1IsWmtyKr0JZcw3bzcRHBnH8YVUWw+6b+XuRK3147GxPHmG0t0OslqtpIH6hsg/1aY4A
	2paQZnHomcEC/2lzvjrMNGOkBy+4My2DNUbNdAT2inHrvrniwXIhIDKK4Zl09l4NFQVe
	RjCA==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id b2si180060wme.197.2018.01.23.19.35.18;
	Tue, 23 Jan 2018 19:35:18 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D4D49689E0B;
	Wed, 24 Jan 2018 05:35:09 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-qmta-pe02-2.mx.upcmail.net
	(vie01a-qmta-pe02-2.mx.upcmail.net [62.179.121.182])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0688D689B35
	for <ffmpeg-devel@ffmpeg.org>; Wed, 24 Jan 2018 05:35:03 +0200 (EET)
Received: from [172.31.218.35] (helo=vie01a-dmta-pe02-2.mx.upcmail.net)
	by vie01a-pqmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1eeBq4-0002mq-T8
	for ffmpeg-devel@ffmpeg.org; Wed, 24 Jan 2018 04:35:04 +0100
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1eeBpy-0006kX-VP
	for ffmpeg-devel@ffmpeg.org; Wed, 24 Jan 2018 04:34:58 +0100
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id 23ar1x0160S5wYM013asgY; Wed, 24 Jan 2018 04:34:52 +0100
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Wed, 24 Jan 2018 04:34:49 +0100
Message-Id: <20180124033450.4520-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.15.1
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/hevc_ps: Check
	log2_sao_offset_scale_*
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768
Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hevc_ps.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 4787312cfa..746c96b17e 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1324,6 +1324,17 @@ static int pps_range_extensions(GetBitContext *gb, AVCodecContext *avctx,
     pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb);
     pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb);
 
+    if (   pps->log2_sao_offset_scale_luma   > FFMAX(sps->bit_depth        - 10, 0)
+        || pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0)
+    ) {
+        av_log(avctx, AV_LOG_ERROR,
+                "log2 sao offset scales (%d %d) are invalid\n",
+               pps->log2_sao_offset_scale_luma,
+               pps->log2_sao_offset_scale_chroma
+              );
+        return AVERROR_INVALIDDATA;
+    }
+
     return(0);
 }