From patchwork Tue Jul 14 20:19:50 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 21016
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 276C744A518
	for <patchwork@ffaux-bg.ffmpeg.org>; Tue, 14 Jul 2020 23:20:34 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 110EF68A964;
	Tue, 14 Jul 2020 23:20:34 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com
 [209.85.221.67])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4103A6897CE
 for <ffmpeg-devel@ffmpeg.org>; Tue, 14 Jul 2020 23:20:28 +0300 (EEST)
Received: by mail-wr1-f67.google.com with SMTP id z15so23918wrl.8
 for <ffmpeg-devel@ffmpeg.org>; Tue, 14 Jul 2020 13:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=K4/ln68oOaS1QILrwUv38c92ttSa9wTCJFeMnxOUN5Y=;
 b=QIKU7YhZ5xx8W3vFsUsiGbE2ydzB6MfSMteyLMraylOMIEsfSynvRZhz6pCJfBnIim
 o4OmkBXXOWShy43UniwBYOAvrb48qp3FfrAj2IWjZSrqomQE6PSxRfXIBHeW+7PnzicU
 hB5QviHD2CEWKNH1AxxP/mtgWEXuTGB0nuWR6K0tZo7aRlqW9weBCfug/cX8cOOXAwdG
 /lDrrVVY+C7qNKE7I7HI4sqaHko6eR632C/FGFhqIqXgjF9IdG6pFLKG11eqwB2g4yBX
 EBRjGt3kV7Rb5AKHvpco+5DUvxkLxs18z2MdPHTdCkzbxYdgrqifs58qnyhy9o6ihzCh
 lAOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=K4/ln68oOaS1QILrwUv38c92ttSa9wTCJFeMnxOUN5Y=;
 b=OWQMFWwK7AhGiakFLQfkkLfbUCMNGFrokKa/LaOnZSVjwv6+1amKltmsixQ1JBPvzV
 Ik3aubmuf1j8txJn79WEhg8q8Cfoidzvvp/mm5tKpw0baqa9T0G1GE3xbQQm51aCo+I9
 A9U/WQEvfkuJ/6yq4P3KRrPivR0qVsHBV886YOR42ucTVpTzmePLpWMfaPxeg6tuUvGk
 UWDbKk2vQM7HeGV4imsGSj79B7MkGagAIy7e4UbPqBVY1t1CgakfCbyHMTtPSXCyMei3
 WwqLUyNUFuSvyXwrn9kgsEU+1bTU9B/3+MxfbIuObrFxwYYxNsM3J1ERuwD8T8G2eT7L
 KkCA==
X-Gm-Message-State: AOAM530eD+NMA+S/+Vg8A39Cr4DC8s4S43x0PcNN2pkoC1yxMdoptxZc
 jeX3aoc+1VV+f5Ac6DBCyZVurjJc
X-Google-Smtp-Source: 
 ABdhPJw2KFAvYHfryUk88zUF0HX5aCPoJ/5gQTH3o1wxQRLgUgAoAqJMNtjO/Wch7DAv/oS5gpPBzA==
X-Received: by 2002:a5d:69cf:: with SMTP id s15mr7950027wrw.10.1594758027260;
 Tue, 14 Jul 2020 13:20:27 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de.
 [188.193.2.150])
 by smtp.gmail.com with ESMTPSA id j15sm29462355wrx.69.2020.07.14.13.20.26
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 14 Jul 2020 13:20:26 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 14 Jul 2020 22:19:50 +0200
Message-Id: <20200714201954.30327-2-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200714201954.30327-1-andreas.rheinhardt@gmail.com>
References: <20200714201954.30327-1-andreas.rheinhardt@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v2 2/6] avcodec/golomb: Prevent shift by
	negative number
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

This happened in get_ue_golomb() if the cached bitstream reader was in
use, because there was no check to handle the case of the read value
not being in the supported range.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavcodec/golomb.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
index 1f988d74aa..a53486d7cf 100644
--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -66,6 +66,8 @@ static inline int get_ue_golomb(GetBitContext *gb)
         return ff_ue_golomb_vlc_code[buf];
     } else {
         int log = 2 * av_log2(buf) - 31;
+        if (log < 0)
+            return AVERROR_INVALIDDATA;
         buf >>= log;
         buf--;
         skip_bits_long(gb, 32 - log);