mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
avcodec/h264_cavlc: Check mb_skip_run
Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f72b9904fe
)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
b15db639a5
commit
f9cfdf2bae
@ -721,8 +721,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl)
|
||||
cbp = 0; /* avoid warning. FIXME: find a solution without slowing
|
||||
down the code */
|
||||
if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
|
||||
if (sl->mb_skip_run == -1)
|
||||
sl->mb_skip_run = get_ue_golomb_long(&sl->gb);
|
||||
if (sl->mb_skip_run == -1) {
|
||||
unsigned mb_skip_run = get_ue_golomb_long(&sl->gb);
|
||||
if (mb_skip_run > h->mb_num) {
|
||||
av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
sl->mb_skip_run = mb_skip_run;
|
||||
}
|
||||
|
||||
if (sl->mb_skip_run--) {
|
||||
if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user