Hi, On Mon, Nov 26, 2012 at 4:27 AM, Janne Grunau <janne-li...@jannau.net> wrote: > On 2012-11-26 13:22:51 +0100, Kostya Shishkov wrote: >> On Mon, Nov 26, 2012 at 01:06:18PM +0100, Janne Grunau wrote: >> > Fixes infinitive or long taking loop in frame num gap code in >> > the fuzzed sample bipbop234.ts_s223302. >> > >> > CC: libav-sta...@libav.org >> > --- >> > libavcodec/h264_ps.c | 9 +++++++++ >> > 1 file changed, 9 insertions(+) >> > >> > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c >> > index 810f69f..dc6b676 100644 >> > --- a/libavcodec/h264_ps.c >> > +++ b/libavcodec/h264_ps.c >> > @@ -37,6 +37,9 @@ >> > //#undef NDEBUG >> > #include <assert.h> >> > >> > +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) >> > +#define MIN_LOG2_MAX_FRAME_NUM 4 >> > + >> > static const AVRational pixel_aspect[17]={ >> > {0, 1}, >> > {1, 1}, >> > @@ -349,6 +352,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ >> > } >> > >> > sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; >> > + if (sps->log2_max_frame_num > MAX_LOG2_MAX_FRAME_NUM || >> > + sps->log2_max_frame_num < MIN_LOG2_MAX_FRAME_NUM) { >> > + av_log(h->s.avctx, AV_LOG_ERROR, "log2_max_frame_num out of range >> > " >> > + "(4-16): %d\n", sps->log2_max_frame_num); >> > + return AVERROR_INVALIDDATA; >> > + } >> > sps->poc_type= get_ue_golomb_31(&s->gb); >> > >> > if(sps->poc_type == 0){ //FIXME #define >> > -- >> >> LGTM though I suspect it's useless to check for the minimum size (unless it >> overflows). > > The min check is added to protect against overflows. The sample in the > commit msg doesn't overflow but is only slightly lower than INT_MAX.
Here, too, we should then protect against the actual overflow itself from happening, not so much check that it just happened. number = read_golomb(); if number >= MIN_VALUE && number - MIN_VALUE >= MAX_VALUE error; number += MIN_VALUE; Ronald _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel