avcodec/cavsdec: Check sym_factor

Fixes: runtime error: signed integer overflow: 25984 * 130560 cannot be represented in type 'int' Fixes: 1404/clusterfuzz-testcase-minimized-5000441286885376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-05-08 11:55:27 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-05-08 12:30:09 +0200
commit: 279420b5a63b3f254e4932a4afb91759fb50186a (patch)
tree: 9a0044d238cb198424db132f6edfcd545eeff632 /libavcodec/cavsdec.c
parent: 1e42736b95065c69a7481d0cf55247024f54b660 (diff)
download: ffmpeg-279420b5a63b3f254e4932a4afb91759fb50186a.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 4d3d2d7c65..eb2464f36d 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h)
     h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0;
     if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) {
         h->sym_factor = h->dist[0] * h->scale_den[1];
+        if (FFABS(h->sym_factor) > 32768) {
+            av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor);
+            return AVERROR_INVALIDDATA;
+        }
     } else {
         h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0;
         h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-05-08 11:55:27 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-05-08 12:30:09 +0200
commit	279420b5a63b3f254e4932a4afb91759fb50186a (patch)
tree	9a0044d238cb198424db132f6edfcd545eeff632 /libavcodec/cavsdec.c
parent	1e42736b95065c69a7481d0cf55247024f54b660 (diff)
download	ffmpeg-279420b5a63b3f254e4932a4afb91759fb50186a.tar.gz