aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-11-05 21:20:05 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2017-12-02 00:28:59 +0100
commitf33f13172cfe34b3bedb59964957d8d784f9cea0 (patch)
tree75eda8cb53069d4d359ece6c924e9f5d8ebf668c /libavcodec
parentb9e9c5cee03ff9a092f9d8f13df22d91979c24e3 (diff)
downloadffmpeg-f33f13172cfe34b3bedb59964957d8d784f9cea0.tar.gz
avcodec/snowdec: Fix integer overflow in header parsing
Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576 Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c897a9285846b6a072b9650976afd4f091b7a71f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/snowdec.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 6eff729a19..2b92ed3de0 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -374,7 +374,7 @@ static int decode_header(SnowContext *s){
}
}
- s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1);
+ s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1);
if(s->spatial_decomposition_type > 1U){
av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type);
return AVERROR_INVALIDDATA;
@@ -390,10 +390,10 @@ static int decode_header(SnowContext *s){
}
- s->qlog += get_symbol(&s->c, s->header_state, 1);
- s->mv_scale += get_symbol(&s->c, s->header_state, 1);
- s->qbias += get_symbol(&s->c, s->header_state, 1);
- s->block_max_depth+= get_symbol(&s->c, s->header_state, 1);
+ s->qlog += (unsigned)get_symbol(&s->c, s->header_state, 1);
+ s->mv_scale += (unsigned)get_symbol(&s->c, s->header_state, 1);
+ s->qbias += (unsigned)get_symbol(&s->c, s->header_state, 1);
+ s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1);
if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){
av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth);
s->block_max_depth= 0;