avcodec/fic: Check coefficients

Fixes: signed integer overflow: 1258291200 * 2 cannot be represented in type 'int' Fixes: 1413/clusterfuzz-testcase-minimized-5923451770503168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-05-08 21:32:56 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-05-09 00:42:20 +0200
commit: 548459080b1bd698a2e475e5d177b6e7d2538537 (patch)
tree: 7d45fca379bacf888dc9244af1b0dfc4f4d30348 /libavcodec/fic.c
parent: d3088e0fd8749788818cb5df92abaa3b12e409e1 (diff)
download: ffmpeg-548459080b1bd698a2e475e5d177b6e7d2538537.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 3805f70722..613b306af5 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -150,9 +150,13 @@ static int fic_decode_block(FICContext *ctx, GetBitContext *gb,
     if (num_coeff > 64)
         return AVERROR_INVALIDDATA;
 
-    for (i = 0; i < num_coeff; i++)
-        block[ff_zigzag_direct[i]] = get_se_golomb(gb) *
+    for (i = 0; i < num_coeff; i++) {
+        int v = get_se_golomb(gb);
+        if (v < -2048 || v > 2048)
+             return AVERROR_INVALIDDATA;
+        block[ff_zigzag_direct[i]] = v *
                                      ctx->qmat[ff_zigzag_direct[i]];
+    }
 
     fic_idct_put(dst, stride, block);
author	Michael Niedermayer <michael@niedermayer.cc>	2017-05-08 21:32:56 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-05-09 00:42:20 +0200
commit	548459080b1bd698a2e475e5d177b6e7d2538537 (patch)
tree	7d45fca379bacf888dc9244af1b0dfc4f4d30348 /libavcodec/fic.c
parent	d3088e0fd8749788818cb5df92abaa3b12e409e1 (diff)
download	ffmpeg-548459080b1bd698a2e475e5d177b6e7d2538537.tar.gz