]> git.sesse.net Git - ffmpeg/commitdiff
projects / ffmpeg / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4dc93ae)
avcodec/sonic: Check e in get_symbol()
authorMichael Niedermayer <michael@niedermayer.cc>
Mon, 21 Oct 2019 21:22:05 +0000 (23:22 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Tue, 31 Dec 2019 17:43:50 +0000 (18:43 +0100)
Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int'
Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176
Fixes: 18753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5663299131932672
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/sonic.c patch | blob | history

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 219412eb77d947d50b26817da7ada5601fce5a79..c975774b04adb8e9a22ddbd4e23ae68a94c00635 100644 (file)
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si
         e= 0;
         while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
         }
 
         a= 1;
Unnamed repository; edit this file 'description' to name the repository.