aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-09-17 19:53:45 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2019-12-06 20:30:57 +0100
commitbdcff3ef0dcb204759e6843cd3a6e5da7aed0a5f (patch)
treec4f0fdf1e8344ce0014eebfc16043d5eff46474d
parente5ea4e727c5523d78b3569b519228f5d251b02bd (diff)
downloadffmpeg-bdcff3ef0dcb204759e6843cd3a6e5da7aed0a5f.tar.gz
avcodec/4xm: Check index in decode_i_block() also in the path where its not used.
Fixes: Infinite loop Fixes: signed integer overflow: 2147483644 + 16 cannot be represented in type 'int' Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 Fixes: 16782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5743163859271680 Fixes: 17641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5711603562971136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 87ddf9f1ef17726fd4235f2e7aed8334d0ff231b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/4xm.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index ee7cb3b420..71eb71fc3c 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -525,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block)
break;
if (code == 0xf0) {
i += 16;
+ if (i >= 64) {
+ av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i);
+ return 0;
+ }
} else {
if (code & 0xf) {
level = get_xbits(&f->gb, code & 0xf);