avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset

Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int' Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-09-19 16:29:15 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-10-15 22:53:56 +0200
commit: 106f11f68af643ad1f372b840d38a0a30c6e9bcf (patch)
tree: 96d76727fb28f2382388aee28b37cd7dacc4d7f1
parent: eeabdef1bf96cdecf80aeb8d0478d008457b048c (diff)
download: ffmpeg-106f11f68af643ad1f372b840d38a0a30c6e9bcf.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index a88160fefa..699c13bbcc 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -815,6 +815,11 @@ static int hls_slice_header(HEVCContext *s)
         if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) {
             sh->slice_cb_qp_offset = get_se_golomb(gb);
             sh->slice_cr_qp_offset = get_se_golomb(gb);
+            if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 ||
+                sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) {
+                av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n");
+                return AVERROR_INVALIDDATA;
+            }
         } else {
             sh->slice_cb_qp_offset = 0;
             sh->slice_cr_qp_offset = 0;
author	Michael Niedermayer <michael@niedermayer.cc>	2020-09-19 16:29:15 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-10-15 22:53:56 +0200
commit	106f11f68af643ad1f372b840d38a0a30c6e9bcf (patch)
tree	96d76727fb28f2382388aee28b37cd7dacc4d7f1
parent	eeabdef1bf96cdecf80aeb8d0478d008457b048c (diff)
download	ffmpeg-106f11f68af643ad1f372b840d38a0a30c6e9bcf.tar.gz