Message ID | 20240816231504.3166080-5-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/5] avcodec/get_buffer: Use av_buffer_mallocz() for audio same as its done for video | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
On 8/16/2024 8:15 PM, Michael Niedermayer wrote: > Fixes: left shift of 1 by 31 places cannot be represented in type 'int' > Fixes: 70726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6149928703819776 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/hevc/ps.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c > index 80ac35a7dbf..cd5ece72b0a 100644 > --- a/libavcodec/hevc/ps.c > +++ b/libavcodec/hevc/ps.c > @@ -1101,7 +1101,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, > sps->used_by_curr_pic_lt = 0; > for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { > sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); > - sps->used_by_curr_pic_lt |= get_bits1(gb) * (1 << i); > + sps->used_by_curr_pic_lt |= get_bits1(gb) * (1U << i); Why not just get_bits1(gb) << i? get_bits1() returns an unsigned int (Either 0 or 1), so no chances for a left shift of negative number.
On Fri, Aug 16, 2024 at 08:27:07PM -0300, James Almer wrote: > On 8/16/2024 8:15 PM, Michael Niedermayer wrote: > > Fixes: left shift of 1 by 31 places cannot be represented in type 'int' > > Fixes: 70726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6149928703819776 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/hevc/ps.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c > > index 80ac35a7dbf..cd5ece72b0a 100644 > > --- a/libavcodec/hevc/ps.c > > +++ b/libavcodec/hevc/ps.c > > @@ -1101,7 +1101,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, > > sps->used_by_curr_pic_lt = 0; > > for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { > > sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); > > - sps->used_by_curr_pic_lt |= get_bits1(gb) * (1 << i); > > + sps->used_by_curr_pic_lt |= get_bits1(gb) * (1U << i); > > Why not just get_bits1(gb) << i? get_bits1() returns an unsigned int (Either > 0 or 1), so no chances for a left shift of negative number. ok, will apply with that thx [...]
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index 80ac35a7dbf..cd5ece72b0a 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -1101,7 +1101,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->used_by_curr_pic_lt = 0; for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); - sps->used_by_curr_pic_lt |= get_bits1(gb) * (1 << i); + sps->used_by_curr_pic_lt |= get_bits1(gb) * (1U << i); } }
Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 70726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6149928703819776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)