aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-10-04 03:13:41 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2018-10-18 02:28:54 +0200
commitf72b9904fefa79d799d0f6ecc8bd97ce52658725 (patch)
treea8459a9cf2b4be755856ef40c2043644fbe6e516
parentd7dbad12f820a72997772ff5e535bee3eb7c5b4b (diff)
downloadffmpeg-f72b9904fefa79d799d0f6ecc8bd97ce52658725.tar.gz
avcodec/h264_cavlc: Check mb_skip_run
Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264 Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/h264_cavlc.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 5e6a20304a..d82144e3c3 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl)
cbp = 0; /* avoid warning. FIXME: find a solution without slowing
down the code */
if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
- if (sl->mb_skip_run == -1)
- sl->mb_skip_run = get_ue_golomb_long(&sl->gb);
+ if (sl->mb_skip_run == -1) {
+ unsigned mb_skip_run = get_ue_golomb_long(&sl->gb);
+ if (mb_skip_run > h->mb_num) {
+ av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run);
+ return AVERROR_INVALIDDATA;
+ }
+ sl->mb_skip_run = mb_skip_run;
+ }
if (sl->mb_skip_run--) {
if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {