diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-03-03 20:12:21 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-03-05 12:01:46 +0100 |
commit | d03d38616278bf209e6c860d8f9f564cbc6c1780 (patch) | |
tree | 1681b79f9222713cd5d750b665e9d2acf7824d02 /libavcodec | |
parent | fab13bbbcdf92da165f1a6be94fbb8f87fac639a (diff) | |
download | ffmpeg-d03d38616278bf209e6c860d8f9f564cbc6c1780.tar.gz |
avcodec/wavpack: Check bitrate_acc for overflow
Fixes: undefined behavior in 717/clusterfuzz-testcase-5434924129583104
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/wavpack.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index ebcdd96508..bf538a9b87 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -99,11 +99,13 @@ static av_always_inline int get_tail(GetBitContext *gb, int k) return res; } -static void update_error_limit(WavpackFrameContext *ctx) +static int update_error_limit(WavpackFrameContext *ctx) { int i, br[2], sl[2]; for (i = 0; i <= ctx->stereo_in; i++) { + if (ctx->ch[i].bitrate_acc > UINT_MAX - ctx->ch[i].bitrate_delta) + return AVERROR_INVALIDDATA; ctx->ch[i].bitrate_acc += ctx->ch[i].bitrate_delta; br[i] = ctx->ch[i].bitrate_acc >> 16; sl[i] = LEVEL_DECAY(ctx->ch[i].slow_level); @@ -131,6 +133,8 @@ static void update_error_limit(WavpackFrameContext *ctx) ctx->ch[i].error_limit = wp_exp2(br[i]); } } + + return 0; } static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, @@ -200,8 +204,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, ctx->zero = !ctx->one; } - if (ctx->hybrid && !channel) - update_error_limit(ctx); + if (ctx->hybrid && !channel) { + if (update_error_limit(ctx) < 0) + goto error; + } if (!t) { base = 0; |