avcodec/wavpack: Check bitrate_acc for overflow

Fixes: undefined behavior in 717/clusterfuzz-testcase-5434924129583104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-03-03 20:12:21 +01:00 · 2017-03-03 20:12:21 +01:00 · d03d386162
parent fab13bbbcd
commit d03d386162
1 changed files with 9 additions and 3 deletions
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@ -99,11 +99,13 @@ static av_always_inline int get_tail(GetBitContext *gb, int k)
    return res;
 }

-static void update_error_limit(WavpackFrameContext *ctx)
+static int update_error_limit(WavpackFrameContext *ctx)
 {
    int i, br[2], sl[2];

    for (i = 0; i <= ctx->stereo_in; i++) {
+        if (ctx->ch[i].bitrate_acc > UINT_MAX - ctx->ch[i].bitrate_delta)
+            return AVERROR_INVALIDDATA;
        ctx->ch[i].bitrate_acc += ctx->ch[i].bitrate_delta;
        br[i]                   = ctx->ch[i].bitrate_acc >> 16;
        sl[i]                   = LEVEL_DECAY(ctx->ch[i].slow_level);
@ -131,6 +133,8 @@ static void update_error_limit(WavpackFrameContext *ctx)
            ctx->ch[i].error_limit = wp_exp2(br[i]);
        }
    }
+
+    return 0;
 }

 static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
@ -200,8 +204,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
        ctx->zero = !ctx->one;
    }

-    if (ctx->hybrid && !channel)
-        update_error_limit(ctx);
+    if (ctx->hybrid && !channel) {
+        if (update_error_limit(ctx) < 0)
+            goto error;
+    }

    if (!t) {
        base = 0;