avcodec/dnxhddec: Check dc vlc

Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type 'int' Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2018-01-03 23:42:00 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2018-01-05 03:35:48 +0100
commit: b2be76c0a472b729756ed7a91225c209d0dd1d2e (patch)
tree: 03454f93de4071b26ae65ad46202cfc0ae815bf0
parent: e425047a47b68dd21d50f0d83cfd7ae816268f57 (diff)
download: ffmpeg-b2be76c0a472b729756ed7a91225c209d0dd1d2e.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c
index 05f4458f99..11d0bf424a 100644
--- a/libavcodec/dnxhddec.c
+++ b/libavcodec/dnxhddec.c
@@ -383,6 +383,10 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx,
 
     UPDATE_CACHE(bs, &row->gb);
     GET_VLC(len, bs, &row->gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1);
+    if (len < 0) {
+        ret = len;
+        goto error;
+    }
     if (len) {
         level = GET_CACHE(bs, &row->gb);
         LAST_SKIP_BITS(bs, &row->gb, len);
@@ -436,7 +440,7 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx,
         GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table,
                 DNXHD_VLC_BITS, 2);
     }
-
+error:
     CLOSE_READER(bs, &row->gb);
     return ret;
 }
author	Michael Niedermayer <michael@niedermayer.cc>	2018-01-03 23:42:00 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2018-01-05 03:35:48 +0100
commit	b2be76c0a472b729756ed7a91225c209d0dd1d2e (patch)
tree	03454f93de4071b26ae65ad46202cfc0ae815bf0
parent	e425047a47b68dd21d50f0d83cfd7ae816268f57 (diff)
download	ffmpeg-b2be76c0a472b729756ed7a91225c209d0dd1d2e.tar.gz