aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-02-23 23:46:30 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2017-02-24 00:38:45 +0100
commit0d85c7bb5a4c398863848ecdf44a0c9f1778da06 (patch)
tree2aec7e6d271368dd02532e3d6604d394c4d5d0eb
parente98dfeb27c2a82673d7f1782705f6694ec9062ca (diff)
downloadffmpeg-0d85c7bb5a4c398863848ecdf44a0c9f1778da06.tar.gz
avcodec/ituh263dec: Fix runtime error: left shift of 1342177279 by 1 places cannot be represented in type 'int'
Fixes: 659/clusterfuzz-testcase-5866673603084288 Huge DMV could be created by an encoder ignoring the spec Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/ituh263dec.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c
index 9a2c8e6c42..09b6a2f17d 100644
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -303,6 +303,10 @@ static int h263p_decode_umotion(MpegEncContext * s, int pred)
{
code <<= 1;
code += get_bits1(&s->gb);
+ if (code >= 32768) {
+ avpriv_request_sample(s->avctx, "Huge DMV");
+ return AVERROR_INVALIDDATA;
+ }
}
sign = code & 1;
code >>= 1;