virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

avcodec/mlpdec: Check quant_step_size against huff_lsbs

Browse Source 
This reorders the operations so as to avoid computations with the above arguments
before they have been initialized.
Fixes part of 1708/clusterfuzz-testcase-minimized-5035111957397504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-05-20 23:01:04 +02:00
parent 53e0d5d724
commit 361e0310d9
1 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
libavcodec/mlpdec.c
View File

@ -829,8 +829,6 @@ static int read_channel_params(MLPDecodeContext *m, unsigned int substr,
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
return 0; return 0;
} }
@ -842,7 +840,8 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp,
{ {
SubStream *s = &m->substream[substr]; SubStream *s = &m->substream[substr];
unsigned int ch; unsigned int ch;
int ret; int ret = 0;
unsigned recompute_sho = 0;
if (s->param_presence_flags & PARAM_PRESENCE) if (s->param_presence_flags & PARAM_PRESENCE)
if (get_bits1(gbp)) if (get_bits1(gbp))
@ -882,19 +881,36 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp,
if (s->param_presence_flags & PARAM_QUANTSTEP) if (s->param_presence_flags & PARAM_QUANTSTEP)
if (get_bits1(gbp)) if (get_bits1(gbp))
for (ch = 0; ch <= s->max_channel; ch++) { for (ch = 0; ch <= s->max_channel; ch++) {
ChannelParams *cp = &s->channel_params[ch];
s->quant_step_size[ch] = get_bits(gbp, 4); s->quant_step_size[ch] = get_bits(gbp, 4);
cp->sign_huff_offset = calculate_sign_huff(m, substr, ch); recompute_sho |= 1<<ch;
} }
for (ch = s->min_channel; ch <= s->max_channel; ch++) for (ch = s->min_channel; ch <= s->max_channel; ch++)
if (get_bits1(gbp)) if (get_bits1(gbp)) {
recompute_sho |= 1<<ch;
if ((ret = read_channel_params(m, substr, gbp, ch)) < 0) if ((ret = read_channel_params(m, substr, gbp, ch)) < 0)
return ret; goto fail;
}
return 0;
fail:
for (ch = 0; ch <= s->max_channel; ch++) {
if (recompute_sho & (1<<ch)) {
ChannelParams *cp = &s->channel_params[ch];
if (cp->codebook > 0 && cp->huff_lsbs < s->quant_step_size[ch]) {
if (ret >= 0) {
av_log(m->avctx, AV_LOG_ERROR, "quant_step_size larger than huff_lsbs\n");
ret = AVERROR_INVALIDDATA;
}
s->quant_step_size[ch] = 0;
}
cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
}
}
return ret;
} }
#define MSB_MASK(bits) (-1u << (bits)) #define MSB_MASK(bits) (-1u << (bits))