virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-10 06:10:52 +02:00
Code Issues Releases Activity

avcodec/lagarith: Check that the range coded data stream is consistent when the probabilities indicate no data could have been coded.

Browse Source 
Fixes: Timeout
Fixes: 8638/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5132046098759680
Fixes: 8943/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4883030219948032

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2018-06-14 22:16:52 +02:00
parent 7334985ffa
commit 8d21ab4d12
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/lagarith.c
View File

@@ -141,6 +141,7 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
unsigned prob, cumulative_target; unsigned prob, cumulative_target;
unsigned cumul_prob = 0; unsigned cumul_prob = 0;
unsigned scaled_cumul_prob = 0; unsigned scaled_cumul_prob = 0;
int nnz = 0;
rac->prob[0] = 0; rac->prob[0] = 0;
rac->prob[257] = UINT_MAX; rac->prob[257] = UINT_MAX;
@@ -164,6 +165,8 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
prob = 256 - i; prob = 256 - i;
for (j = 0; j < prob; j++) for (j = 0; j < prob; j++)
rac->prob[++i] = 0; rac->prob[++i] = 0;
}else {
nnz++;
} }
} }
@@ -172,6 +175,10 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
return -1; return -1;
} }
if (nnz == 1 && (show_bits_long(gb, 32) & 0xFFFFFF)) {
return AVERROR_INVALIDDATA;
}
/* Scale probabilities so cumulative probability is an even power of 2. */ /* Scale probabilities so cumulative probability is an even power of 2. */
scale_factor = av_log2(cumul_prob); scale_factor = av_log2(cumul_prob);