mirror of https://git.ffmpeg.org/ffmpeg.git
oggparsedaala: reject too large gpshift
Also use a unsigned constant for the shift calculation, as 1 << 31 is undefined for int32_t. This is also fixed oggparsetheora. This fixes ubsan runtime error: shift exponent is too large for 32-bit type 'int' Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This commit is contained in:
parent
69ead86027
commit
c112be25f7
|
@ -123,7 +123,12 @@ static int daala_header(AVFormatContext *s, int idx)
|
||||||
|
|
||||||
hdr->frame_duration = bytestream2_get_ne32(&gb);
|
hdr->frame_duration = bytestream2_get_ne32(&gb);
|
||||||
hdr->gpshift = bytestream2_get_byte(&gb);
|
hdr->gpshift = bytestream2_get_byte(&gb);
|
||||||
hdr->gpmask = (1 << hdr->gpshift) - 1;
|
if (hdr->gpshift >= 32) {
|
||||||
|
av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n",
|
||||||
|
hdr->gpshift);
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
|
hdr->gpmask = (1U << hdr->gpshift) - 1;
|
||||||
|
|
||||||
hdr->format.depth = 8 + 2*(bytestream2_get_byte(&gb)-1);
|
hdr->format.depth = 8 + 2*(bytestream2_get_byte(&gb)-1);
|
||||||
|
|
||||||
|
|
|
@ -108,7 +108,7 @@ static int theora_header(AVFormatContext *s, int idx)
|
||||||
skip_bits(&gb, 2);
|
skip_bits(&gb, 2);
|
||||||
|
|
||||||
thp->gpshift = get_bits(&gb, 5);
|
thp->gpshift = get_bits(&gb, 5);
|
||||||
thp->gpmask = (1 << thp->gpshift) - 1;
|
thp->gpmask = (1U << thp->gpshift) - 1;
|
||||||
|
|
||||||
st->codec->codec_type = AVMEDIA_TYPE_VIDEO;
|
st->codec->codec_type = AVMEDIA_TYPE_VIDEO;
|
||||||
st->codec->codec_id = AV_CODEC_ID_THEORA;
|
st->codec->codec_id = AV_CODEC_ID_THEORA;
|
||||||
|
|
Loading…
Reference in New Issue