[FFmpeg-devel] [PATCH] avcodec/scpr: mask bits to prevent out of array read

Tue May 16 03:22:37 EEST 2017

Fixes: 1615/clusterfuzz-testcase-minimized-6625214647500800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/scpr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index 46f072c757..f6d1e45692 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -488,7 +488,7 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
 
         if (avctx->bits_per_coded_sample == 16) {
             cx1 = (clr & 0x3F00) >> 2;
-            cx = (clr & 0xFFFFFF) >> 16;
+            cx = (clr & 0x3FFFFF) >> 16;
         } else {
             cx1 = (clr & 0xFC00) >> 4;
             cx = (clr & 0xFFFFFF) >> 18;
@@ -726,7 +726,7 @@ static int decompress_p(AVCodecContext *avctx,
 
                     if (avctx->bits_per_coded_sample == 16) {
                         cx1 = (clr & 0x3F00) >> 2;
-                        cx = (clr & 0xFFFFFF) >> 16;
+                        cx = (clr & 0x3FFFFF) >> 16;
                     } else {
                         cx1 = (clr & 0xFC00) >> 4;
                         cx = (clr & 0xFFFFFF) >> 18;
-- 
2.11.0

