Message ID | 20180221032945.29394-2-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e |
Headers | show |
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 06c752735e..c7fff67c06 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1067,6 +1067,11 @@ static int decode_pic(AVSContext *h) if (!h->loop_filter_disable && get_bits1(&h->gb)) { h->alpha_offset = get_se_golomb(&h->gb); h->beta_offset = get_se_golomb(&h->gb); + if ( h->alpha_offset < -64 || h->alpha_offset > 64 + || h-> beta_offset < -64 || h-> beta_offset > 64) { + h->alpha_offset = h->beta_offset = 0; + return AVERROR_INVALIDDATA; + } } else { h->alpha_offset = h->beta_offset = 0; }
Fixes: Integer overflow Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+)