virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-05-13 21:26:33 +02:00
Code Issues Releases Activity

avcodec/vb: Check vertical GMC component before multiply

Browse Source 
Fixes: runtime error: signed integer overflow: 8224 * 663584 cannot be represented in type 'int'
Fixes: 2393/clusterfuzz-testcase-minimized-6128334993883136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc6ab72bc7af27189e7b524b97e45c6fcadab5cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-06-28 20:29:02 +02:00
parent 34535941ae
commit cc9082dce1
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/vb.c
View File

@ -205,6 +205,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
if (flags & VB_HAS_GMC) { if (flags & VB_HAS_GMC) {
i = (int16_t)bytestream2_get_le16(&c->stream); i = (int16_t)bytestream2_get_le16(&c->stream);
j = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream);
if (FFABS(j) > avctx->height) {
av_log(avctx, AV_LOG_ERROR, "GMV out of range\n");
return AVERROR_INVALIDDATA;
}
offset = i + j * avctx->width; offset = i + j * avctx->width;
} }
if (flags & VB_HAS_VIDEO) { if (flags & VB_HAS_VIDEO) {