Hi,
On Mon, Nov 26, 2012 at 4:27 AM, Janne Grunau <janne-li...@jannau.net> wrote:
> On 2012-11-26 13:22:51 +0100, Kostya Shishkov wrote:
>> On Mon, Nov 26, 2012 at 01:06:18PM +0100, Janne Grunau wrote:
>> > Fixes infinitive or long taking loop in frame num gap code in
>> > the fuzzed sample bipbop234.ts_s223302.
>> >
>> > CC: libav-sta...@libav.org
>> > ---
>> > libavcodec/h264_ps.c | 9 +++++++++
>> > 1 file changed, 9 insertions(+)
>> >
>> > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
>> > index 810f69f..dc6b676 100644
>> > --- a/libavcodec/h264_ps.c
>> > +++ b/libavcodec/h264_ps.c
>> > @@ -37,6 +37,9 @@
>> > //#undef NDEBUG
>> > #include <assert.h>
>> >
>> > +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4)
>> > +#define MIN_LOG2_MAX_FRAME_NUM 4
>> > +
>> > static const AVRational pixel_aspect[17]={
>> > {0, 1},
>> > {1, 1},
>> > @@ -349,6 +352,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
>> > }
>> >
>> > sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4;
>> > + if (sps->log2_max_frame_num > MAX_LOG2_MAX_FRAME_NUM ||
>> > + sps->log2_max_frame_num < MIN_LOG2_MAX_FRAME_NUM) {
>> > + av_log(h->s.avctx, AV_LOG_ERROR, "log2_max_frame_num out of range
>> > "
>> > + "(4-16): %d\n", sps->log2_max_frame_num);
>> > + return AVERROR_INVALIDDATA;
>> > + }
>> > sps->poc_type= get_ue_golomb_31(&s->gb);
>> >
>> > if(sps->poc_type == 0){ //FIXME #define
>> > --
>>
>> LGTM though I suspect it's useless to check for the minimum size (unless it
>> overflows).
>
> The min check is added to protect against overflows. The sample in the
> commit msg doesn't overflow but is only slightly lower than INT_MAX.
Here, too, we should then protect against the actual overflow itself
from happening, not so much check that it just happened.
number = read_golomb();
if number >= MIN_VALUE && number - MIN_VALUE >= MAX_VALUE
error;
number += MIN_VALUE;
Ronald
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
