On Fri, Jun 08, 2018 at 11:34:02PM -0300, James Almer wrote: > On 6/8/2018 11:23 PM, James Almer wrote: > > On 6/8/2018 8:12 PM, James Almer wrote: > >> On 6/8/2018 7:11 PM, Michael Niedermayer wrote: > >>> Fixes: signed integer overflow: 15 + 2147483646 cannot be represented in > >>> type 'int' > >>> Fixes: > >>> 8381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6225533137321984 > >>> > >>> Found-by: continuous fuzzing process > >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > >>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > >>> --- > >>> libavcodec/h264_sei.c | 12 +++++++++--- > >>> 1 file changed, 9 insertions(+), 3 deletions(-) > >>> > >>> diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c > >>> index 9defcb80b9..2f16d95f56 100644 > >>> --- a/libavcodec/h264_sei.c > >>> +++ b/libavcodec/h264_sei.c > >>> @@ -261,10 +261,16 @@ static int > >>> decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext * > >>> return 0; > >>> } > >>> > >>> -static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext > >>> *gb) > >>> +static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext > >>> *gb, void *logctx) > >>> { > >>> - h->recovery_frame_cnt = get_ue_golomb_long(gb); > >>> + unsigned recovery_frame_cnt = get_ue_golomb_long(gb); > >>> > >>> + if (recovery_frame_cnt > (1<<16)) { > >> > >> Maybe move MAX_LOG2_MAX_FRAME_NUM out of h264_ps.c and into h264_ps.h, > >> then use it here? > > > > And it should be "(1 << MAX_LOG2_MAX_FRAME_NUM) - 1", for that matter. > > > Or alternatively use sps->log2_max_frame_num from the active sps instead. > > Or maybe not. Guess this is already handled by h264_slice.c, so probably > just use the aforementioned constant.
will apply with these changes after basic testing thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The real ebay dictionary, page 2 "100% positive feedback" - "All either got their money back or didnt complain" "Best seller ever, very honest" - "Seller refunded buyer after failed scam"
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
