RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset 

Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int'
Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-09-19 16:29:15 +02:00
parent eeabdef1bf
commit 106f11f68a
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/hevcdec.c
View File

@ -815,6 +815,11 @@ static int hls_slice_header(HEVCContext *s)
if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) {
sh->slice_cb_qp_offset = get_se_golomb(gb);
sh->slice_cr_qp_offset = get_se_golomb(gb);
if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 ||
sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) {
av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n");
return AVERROR_INVALIDDATA;
}
} else {
sh->slice_cb_qp_offset = 0;
sh->slice_cr_qp_offset = 0;