[FFmpeg-devel,2/2] avcodec/cavsdec: Check alpha/beta offset

Message ID	20180221032945.29394-2-michael@niedermayer.cc
State	Accepted
Commit	ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e
Headers	show Delivered-To: ffmpegpatchwork@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Wed, 21 Feb 2018 04:29:45 +0100 Message-Id: <20180221032945.29394-2-michael@niedermayer.cc> In-Reply-To: <20180221032945.29394-1-michael@niedermayer.cc> References: <20180221032945.29394-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/cavsdec: Check alpha/beta offset Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

20180221032945.29394-2-michael@niedermayer.cc

State

Accepted

Commit

ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100; 
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Wed, 21 Feb 2018 04:29:45 +0100
Message-Id: <20180221032945.29394-2-michael@niedermayer.cc>
In-Reply-To: <20180221032945.29394-1-michael@niedermayer.cc>
References: <20180221032945.29394-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/cavsdec: Check alpha/beta offset
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Commit Message

Michael Niedermayer Feb. 21, 2018, 3:29 a.m. UTC

Fixes: Integer overflow
Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cavsdec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 06c752735e..c7fff67c06 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1067,6 +1067,11 @@  static int decode_pic(AVSContext *h)
     if (!h->loop_filter_disable && get_bits1(&h->gb)) {
         h->alpha_offset        = get_se_golomb(&h->gb);
         h->beta_offset         = get_se_golomb(&h->gb);
+        if (   h->alpha_offset < -64 || h->alpha_offset > 64
+            || h-> beta_offset < -64 || h-> beta_offset > 64) {
+            h->alpha_offset = h->beta_offset  = 0;
+            return AVERROR_INVALIDDATA;
+        }
     } else {
         h->alpha_offset = h->beta_offset  = 0;
     }

[FFmpeg-devel,2/2] avcodec/cavsdec: Check alpha/beta offset

Commit Message

Patch