On Sat, 20 May 2017 23:01:04 +0200 Michael Niedermayer <mich...@niedermayer.cc> wrote:
> This reorders the operations so as to avoid computations with the above > arguments > before they have been initialized. > Fixes part of 1708/clusterfuzz-testcase-minimized-5035111957397504 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/mlpdec.c | 34 +++++++++++++++++++++++++--------- > 1 file changed, 25 insertions(+), 9 deletions(-) > > diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c > index c0a23c5f0d..11be380d27 100644 > --- a/libavcodec/mlpdec.c > +++ b/libavcodec/mlpdec.c > @@ -825,8 +825,6 @@ static int read_channel_params(MLPDecodeContext *m, > unsigned int substr, > return AVERROR_INVALIDDATA; > } > > - cp->sign_huff_offset = calculate_sign_huff(m, substr, ch); > - > return 0; > } > > @@ -838,7 +836,8 @@ static int read_decoding_params(MLPDecodeContext *m, > GetBitContext *gbp, > { > SubStream *s = &m->substream[substr]; > unsigned int ch; > - int ret; > + int ret = 0; > + unsigned recompute_sho = 0; > > if (s->param_presence_flags & PARAM_PRESENCE) > if (get_bits1(gbp)) > @@ -878,19 +877,36 @@ static int read_decoding_params(MLPDecodeContext *m, > GetBitContext *gbp, > if (s->param_presence_flags & PARAM_QUANTSTEP) > if (get_bits1(gbp)) > for (ch = 0; ch <= s->max_channel; ch++) { > - ChannelParams *cp = &s->channel_params[ch]; > - > s->quant_step_size[ch] = get_bits(gbp, 4); > > - cp->sign_huff_offset = calculate_sign_huff(m, substr, ch); > + recompute_sho |= 1<<ch; > } > > for (ch = s->min_channel; ch <= s->max_channel; ch++) > - if (get_bits1(gbp)) > + if (get_bits1(gbp)) { > + recompute_sho |= 1<<ch; > if ((ret = read_channel_params(m, substr, gbp, ch)) < 0) > - return ret; > + goto fail; > + } > > - return 0; > + > +fail: > + for (ch = 0; ch <= s->max_channel; ch++) { > + if (recompute_sho & (1<<ch)) { > + ChannelParams *cp = &s->channel_params[ch]; > + > + if (cp->codebook > 0 && cp->huff_lsbs < s->quant_step_size[ch]) { > + if (ret >= 0) { > + av_log(m->avctx, AV_LOG_ERROR, "quant_step_size larger > than huff_lsbs\n"); > + ret = AVERROR_INVALIDDATA; > + } > + s->quant_step_size[ch] = 0; > + } > + > + cp->sign_huff_offset = calculate_sign_huff(m, substr, ch); > + } > + } > + return ret; What's all this stuff for? > } > > #define MSB_MASK(bits) (-1u << (bits)) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel