| Message ID | 20210929191629.9314-3-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | f054871a650f0505bfecf7819f79882067febc12 |
| Headers | show |
| Series | [FFmpeg-devel,1/3] avformat/rmdec: Check for multiple audio_stream_info | expand |
| Context | Check | Description |
|---|---|---|
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
| andriy/make_ppc | success | Make finished |
| andriy/make_fate_ppc | success | Make fate finished |
On Wed, Sep 29, 2021 at 09:16:29PM +0200, Michael Niedermayer wrote: > Fixes: left shift of negative value -1 > Fixes: 39223/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5498831521841152 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/h264_slice.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) will apply [...]
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 201b22455cf..89ea16a57ff 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1911,8 +1911,13 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, sl->max_pic_num = 1 << (sps->log2_max_frame_num + 1); } - if (nal->type == H264_NAL_IDR_SLICE) - sl->idr_pic_id = get_ue_golomb_long(&sl->gb); + if (nal->type == H264_NAL_IDR_SLICE) { + unsigned idr_pic_id = get_ue_golomb_long(&sl->gb); + if (idr_pic_id < 65536) { + sl->idr_pic_id = idr_pic_id; + } else + av_log(h->avctx, AV_LOG_WARNING, "idr_pic_id is invalid\n"); + } sl->poc_lsb = 0; sl->delta_poc_bottom = 0;
Fixes: left shift of negative value -1 Fixes: 39223/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5498831521841152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/h264_slice.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)