diff mbox series

[FFmpeg-devel,3/4] avformat/mxfdec: Check component_depth in mxf_get_color_range()

Message ID 20211204213258.11971-3-michael@niedermayer.cc
State Accepted
Commit a4af92d7cb044424d31a99fc2f8a091f882036a5
Headers show
Series [FFmpeg-devel,1/4] avformat/mov: Check for EOF in mov_read_glbl()
Related show

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/make_ppc success Make finished
andriy/make_fate_ppc success Make fate finished

Commit Message

Michael Niedermayer Dec. 4, 2021, 9:32 p.m. UTC
Fixes: shift exponent 4294967163 is too large for 32-bit type 'int'
Fixes: 41449/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6183636217495552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Tomas Härdin Dec. 7, 2021, 11:38 p.m. UTC | #1
lör 2021-12-04 klockan 22:32 +0100 skrev Michael Niedermayer:
> Fixes: shift exponent 4294967163 is too large for 32-bit type 'int'
> Fixes: 41449/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-
> 6183636217495552
> 
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mxfdec.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index af9d33f7969..c231c944c01 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -2274,12 +2274,12 @@ static enum AVColorRange
> mxf_get_color_range(MXFContext *mxf, MXFDescriptor *des
>          /* CDCI range metadata */
>          if (!descriptor->component_depth)
>              return AVCOL_RANGE_UNSPECIFIED;
> -        if (descriptor->black_ref_level == 0 &&
> +        if (descriptor->black_ref_level == 0 && descriptor-
> >component_depth < 31 &&
>              descriptor->white_ref_level == ((1<<descriptor-
> >component_depth) - 1) &&
>              (descriptor->color_range    == (1<<descriptor-
> >component_depth) ||
>               descriptor->color_range    == ((1<<descriptor-
> >component_depth) - 1)))
>              return AVCOL_RANGE_JPEG;
> -        if (descriptor->component_depth >= 8 &&
> +        if (descriptor->component_depth >= 8 && descriptor-
> >component_depth < 31 &&
>              descriptor->black_ref_level == (1  <<(descriptor-
> >component_depth - 4)) &&
>              descriptor->white_ref_level == (235<<(descriptor-
> >component_depth - 8)) &&
>              descriptor->color_range     == ((14<<(descriptor-
> >component_depth - 4)) + 1))

Looks OK

/Tomas
diff mbox series

Patch

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index af9d33f7969..c231c944c01 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -2274,12 +2274,12 @@  static enum AVColorRange mxf_get_color_range(MXFContext *mxf, MXFDescriptor *des
         /* CDCI range metadata */
         if (!descriptor->component_depth)
             return AVCOL_RANGE_UNSPECIFIED;
-        if (descriptor->black_ref_level == 0 &&
+        if (descriptor->black_ref_level == 0 && descriptor->component_depth < 31 &&
             descriptor->white_ref_level == ((1<<descriptor->component_depth) - 1) &&
             (descriptor->color_range    == (1<<descriptor->component_depth) ||
              descriptor->color_range    == ((1<<descriptor->component_depth) - 1)))
             return AVCOL_RANGE_JPEG;
-        if (descriptor->component_depth >= 8 &&
+        if (descriptor->component_depth >= 8 && descriptor->component_depth < 31 &&
             descriptor->black_ref_level == (1  <<(descriptor->component_depth - 4)) &&
             descriptor->white_ref_level == (235<<(descriptor->component_depth - 8)) &&
             descriptor->color_range     == ((14<<(descriptor->component_depth - 4)) + 1))