[FFmpeg-devel] [PATCH 4/6] avcodec/evc_parse: Check log2_sub_gop_length
James Almer
jamrial at gmail.com
Mon Jun 19 02:01:48 EEST 2023
On 6/18/2023 7:27 PM, James Almer wrote:
> On 6/18/2023 6:50 PM, Michael Niedermayer wrote:
>> Fixes: 1.70141e+38 is outside the range of representable values of
>> type 'int'
>> Fixes:
>> 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>> ---
>> libavcodec/evc_parse.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
>> index 44be5c5291..822b236423 100644
>> --- a/libavcodec/evc_parse.c
>> +++ b/libavcodec/evc_parse.c
>> @@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext
>> *ctx, const uint8_t *bs, int bs_
>> if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) {
>> sps->log2_sub_gop_length = get_ue_golomb(&gb);
>> + if (sps->log2_sub_gop_length > 5U)
>> + return NULL;
>> if (sps->log2_sub_gop_length == 0)
>> sps->log2_ref_pic_gap_length = get_ue_golomb(&gb);
>> }
>
> LGTM, but please let me apply it as part of my evc patchset to prevent
> conflicts.
Actually, this is leaving the SPS allocated in the array, which should
be freed if we're going to start erroring out on failed range checks.
I'll amend it before applying it.
More information about the ffmpeg-devel
mailing list