On 6/18/2023 7:27 PM, James Almer wrote:
On 6/18/2023 6:50 PM, Michael Niedermayer wrote:
Fixes: 1.70141e+38 is outside the range of representable values of
type 'int'
Fixes:
59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/evc_parse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
index 44be5c5291..822b236423 100644
--- a/libavcodec/evc_parse.c
+++ b/libavcodec/evc_parse.c
@@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext
*ctx, const uint8_t *bs, int bs_
if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) {
sps->log2_sub_gop_length = get_ue_golomb(&gb);
+ if (sps->log2_sub_gop_length > 5U)
+ return NULL;
if (sps->log2_sub_gop_length == 0)
sps->log2_ref_pic_gap_length = get_ue_golomb(&gb);
}
LGTM, but please let me apply it as part of my evc patchset to prevent
conflicts.
Actually, this is leaving the SPS allocated in the array, which should
be freed if we're going to start erroring out on failed range checks.
I'll amend it before applying it.
_______________________________________________
ffmpeg-devel mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
