From d03d38616278bf209e6c860d8f9f564cbc6c1780 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 20:12:21 +0100 Subject: [PATCH] avcodec/wavpack: Check bitrate_acc for overflow Fixes: undefined behavior in 717/clusterfuzz-testcase-5434924129583104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index ebcdd96508..bf538a9b87 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -99,11 +99,13 @@ static av_always_inline int get_tail(GetBitContext *gb, int k) return res; } -static void update_error_limit(WavpackFrameContext *ctx) +static int update_error_limit(WavpackFrameContext *ctx) { int i, br[2], sl[2]; for (i = 0; i <= ctx->stereo_in; i++) { + if (ctx->ch[i].bitrate_acc > UINT_MAX - ctx->ch[i].bitrate_delta) + return AVERROR_INVALIDDATA; ctx->ch[i].bitrate_acc += ctx->ch[i].bitrate_delta; br[i] = ctx->ch[i].bitrate_acc >> 16; sl[i] = LEVEL_DECAY(ctx->ch[i].slow_level); @@ -131,6 +133,8 @@ static void update_error_limit(WavpackFrameContext *ctx) ctx->ch[i].error_limit = wp_exp2(br[i]); } } + + return 0; } static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, @@ -200,8 +204,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, ctx->zero = !ctx->one; } - if (ctx->hybrid && !channel) - update_error_limit(ctx); + if (ctx->hybrid && !channel) { + if (update_error_limit(ctx) < 0) + goto error; + } if (!t) { base = 0;