diff mbox series

[FFmpeg-devel,3/4] avcodec/vvc_parser: Avoid undefined overflow in POC computation

Message ID 20230726235916.30058-3-michael@niedermayer.cc
State Accepted
Commit f1954ff8d13b7d72cbdfe9515b7ae130d65bc2b0
Headers show
Series [FFmpeg-devel,1/4] avcodec/rtv1: Check if the minimal size is available in decode_rtv1() | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer July 26, 2023, 11:59 p.m. UTC
The comments to the function say that it does not implement the spec and
instead follows VTM.
This patch is quite likely not the right solution and more intended to show
the issue to people knowing the specific part of VTM ...

Fixes: signed integer overflow: 2147483392 + 256 cannot be represented in type 'int'
Fixes: 60505/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6216675924770816

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vvc_parser.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/libavcodec/vvc_parser.c b/libavcodec/vvc_parser.c
index 3951ebe50a..c661595e1e 100644
--- a/libavcodec/vvc_parser.c
+++ b/libavcodec/vvc_parser.c
@@ -225,10 +225,10 @@  static void get_slice_poc(VVCParserContext *s, int *poc,
         } else {
             if ((poc_lsb < prev_poc_lsb) && ((prev_poc_lsb - poc_lsb) >=
                 (max_poc_lsb / 2)))
-                poc_msb = prev_poc_msb + max_poc_lsb;
+                poc_msb = prev_poc_msb + (unsigned)max_poc_lsb;
             else if ((poc_lsb > prev_poc_lsb) && ((poc_lsb - prev_poc_lsb) >
                      (max_poc_lsb / 2)))
-                poc_msb = prev_poc_msb - max_poc_lsb;
+                poc_msb = prev_poc_msb - (unsigned)max_poc_lsb;
             else
                 poc_msb = prev_poc_msb;
         }