aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-08-02 00:46:49 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-08-03 15:42:52 +0200
commit4ff94558f23a5de43aed4ca3429963dd1d995250 (patch)
tree9718f3a988908f8749699f6c2151e8672aa36e71
parentd1bfa80ec464d475a0de3f513bbb62bcd356099a (diff)
downloadffmpeg-4ff94558f23a5de43aed4ca3429963dd1d995250.tar.gz
avcodec/hevc_cabac: Check for ff_init_cabac_decoder() failure in cabac_reinit()
Fixes: runtime error: left shift of negative value -967831544 Fixes: 2815/clusterfuzz-testcase-minimized-6062914471460864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/hevc_cabac.c22
1 files changed, 12 insertions, 10 deletions
diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 4c14e77bcd..853fd3f722 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -462,9 +462,9 @@ static void load_states(HEVCContext *s)
memcpy(s->HEVClc->cabac_state, s->cabac_state, HEVC_CONTEXTS);
}
-static void cabac_reinit(HEVCLocalContext *lc)
+static int cabac_reinit(HEVCLocalContext *lc)
{
- skip_bytes(&lc->cc, 0);
+ return skip_bytes(&lc->cc, 0) == NULL ? AVERROR_INVALIDDATA : 0;
}
static int cabac_init_decoder(HEVCContext *s)
@@ -524,25 +524,27 @@ int ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
} else {
if (s->ps.pps->tiles_enabled_flag &&
s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1]) {
+ int ret;
if (s->threads_number == 1)
- cabac_reinit(s->HEVClc);
+ ret = cabac_reinit(s->HEVClc);
else {
- int ret = cabac_init_decoder(s);
- if (ret < 0)
- return ret;
+ ret = cabac_init_decoder(s);
}
+ if (ret < 0)
+ return ret;
cabac_init_state(s);
}
if (s->ps.pps->entropy_coding_sync_enabled_flag) {
if (ctb_addr_ts % s->ps.sps->ctb_width == 0) {
+ int ret;
get_cabac_terminate(&s->HEVClc->cc);
if (s->threads_number == 1)
- cabac_reinit(s->HEVClc);
+ ret = cabac_reinit(s->HEVClc);
else {
- int ret = cabac_init_decoder(s);
- if (ret < 0)
- return ret;
+ ret = cabac_init_decoder(s);
}
+ if (ret < 0)
+ return ret;
if (s->ps.sps->ctb_width == 1)
cabac_init_state(s);