Message ID | 20200424220431.13792-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Headers | show |
Series | [FFmpeg-devel] avcodec/dirac_vlc: Fix integer overflow in ff_dirac_golomb_read_32bit() | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
Apr 24, 2020, 23:04 by michael@niedermayer.cc: > Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int32_t' (aka 'int') > Fixes: 21245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5683334274613248 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/dirac_vlc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c > index fbe28017bc..6d53078fc0 100644 > --- a/libavcodec/dirac_vlc.c > +++ b/libavcodec/dirac_vlc.c > @@ -1115,7 +1115,7 @@ int ff_dirac_golomb_read_32bit(const uint8_t *buf, int bytes, > { > LUTState lut = ff_dirac_golomb_lut[*buf++]; > int32_t *dst = (int32_t *)_dst, *last = dst + coeffs; > - int32_t val = 0; > + uint32_t val = 0; > > for (int i = 1; i < bytes; i++) > PROCESS_VALS; > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org> with subject "unsubscribe". > LGTM. You should change the same variable in ff_dirac_golomb_read_16bit to a uint16_t too, to be safe.
On Sat, Apr 25, 2020 at 12:29:15AM +0200, Lynne wrote: > Apr 24, 2020, 23:04 by michael@niedermayer.cc: > > > Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int32_t' (aka 'int') > > Fixes: 21245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5683334274613248 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/dirac_vlc.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c > > index fbe28017bc..6d53078fc0 100644 > > --- a/libavcodec/dirac_vlc.c > > +++ b/libavcodec/dirac_vlc.c > > @@ -1115,7 +1115,7 @@ int ff_dirac_golomb_read_32bit(const uint8_t *buf, int bytes, > > { > > LUTState lut = ff_dirac_golomb_lut[*buf++]; > > int32_t *dst = (int32_t *)_dst, *last = dst + coeffs; > > - int32_t val = 0; > > + uint32_t val = 0; > > > > for (int i = 1; i < bytes; i++) > > PROCESS_VALS; > > -- > > 2.17.1 > > > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > > > To unsubscribe, visit link above, or email > > ffmpeg-devel-request@ffmpeg.org> with subject "unsubscribe". > > > > LGTM. > You should change the same variable in ff_dirac_golomb_read_16bit to a uint16_t too, to be safe. will apply with that change thx [...]
diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c index fbe28017bc..6d53078fc0 100644 --- a/libavcodec/dirac_vlc.c +++ b/libavcodec/dirac_vlc.c @@ -1115,7 +1115,7 @@ int ff_dirac_golomb_read_32bit(const uint8_t *buf, int bytes, { LUTState lut = ff_dirac_golomb_lut[*buf++]; int32_t *dst = (int32_t *)_dst, *last = dst + coeffs; - int32_t val = 0; + uint32_t val = 0; for (int i = 1; i < bytes; i++) PROCESS_VALS;
Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int32_t' (aka 'int') Fixes: 21245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5683334274613248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/dirac_vlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)