oggparsedaala: reject too large gpshift

Also use a unsigned constant for the shift calculation, as 1 << 31 is
undefined for int32_t. This is also fixed oggparsetheora.

This fixes ubsan runtime error: shift exponent is too large for
32-bit type 'int'

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This commit is contained in:
Andreas Cadhalpun 2015-12-29 18:32:01 +01:00
parent 69ead86027
commit c112be25f7
2 changed files with 7 additions and 2 deletions

View File

@ -123,7 +123,12 @@ static int daala_header(AVFormatContext *s, int idx)
hdr->frame_duration = bytestream2_get_ne32(&gb); hdr->frame_duration = bytestream2_get_ne32(&gb);
hdr->gpshift = bytestream2_get_byte(&gb); hdr->gpshift = bytestream2_get_byte(&gb);
hdr->gpmask = (1 << hdr->gpshift) - 1; if (hdr->gpshift >= 32) {
av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n",
hdr->gpshift);
return AVERROR_INVALIDDATA;
}
hdr->gpmask = (1U << hdr->gpshift) - 1;
hdr->format.depth = 8 + 2*(bytestream2_get_byte(&gb)-1); hdr->format.depth = 8 + 2*(bytestream2_get_byte(&gb)-1);

View File

@ -108,7 +108,7 @@ static int theora_header(AVFormatContext *s, int idx)
skip_bits(&gb, 2); skip_bits(&gb, 2);
thp->gpshift = get_bits(&gb, 5); thp->gpshift = get_bits(&gb, 5);
thp->gpmask = (1 << thp->gpshift) - 1; thp->gpmask = (1U << thp->gpshift) - 1;
st->codec->codec_type = AVMEDIA_TYPE_VIDEO; st->codec->codec_type = AVMEDIA_TYPE_VIDEO;
st->codec->codec_id = AV_CODEC_ID_THEORA; st->codec->codec_id = AV_CODEC_ID_THEORA;