diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-05-20 23:01:02 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-05-22 19:42:39 +0200 |
commit | da617408c80afd2ea67a175fabc0ba546b9b04bc (patch) | |
tree | 9739d9f0a7b1f6c8a1b1049d96abe92e93ecb249 | |
parent | ef01061225088c4945f5e309bc695ea5beb2a867 (diff) | |
download | ffmpeg-da617408c80afd2ea67a175fabc0ba546b9b04bc.tar.gz |
avcodec/escape124: Check depth against num_superblocks
Fixes: runtime error: left shift of 66184 by 15 places cannot be represented in type 'int'
Fixes: 1707/clusterfuzz-testcase-minimized-6502767008940032
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/escape124.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index c3174ce6ef..eb051eba54 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -267,6 +267,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, cb_size = s->num_superblocks << cb_depth; } } + if (s->num_superblocks >= INT_MAX >> cb_depth) { + av_log(avctx, AV_LOG_ERROR, "Depth or num_superblocks are too large\n"); + return AVERROR_INVALIDDATA; + } + av_freep(&s->codebooks[i].blocks); s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size); if (!s->codebooks[i].blocks) |