On 2012-11-27 12:56:56 +0100, Janne Grunau wrote: > <caeemt2n3my5kdpilyqhmlfcyoh8s4cokppn4birycolo-f9...@mail.gmail.com> > > On 2012-11-26 07:04:16 -0800, Ronald S. Bultje wrote: > > Hi, > > > > On Mon, Nov 26, 2012 at 4:27 AM, Janne Grunau <janne-li...@jannau.net> > > wrote: > > > On 2012-11-26 13:22:51 +0100, Kostya Shishkov wrote: > > >> > > >> LGTM though I suspect it's useless to check for the minimum size (unless > > >> it > > >> overflows). > > > > > > The min check is added to protect against overflows. The sample in the > > > commit msg doesn't overflow but is only slightly lower than INT_MAX. > > > > Here, too, we should then protect against the actual overflow itself > > from happening, not so much check that it just happened. > > > > number = read_golomb(); > > if number >= MIN_VALUE && number - MIN_VALUE >= MAX_VALUE > > error; > > number += MIN_VALUE; > > I was more worried about the 'overflow' in get_ue_golomb() since I saw > that already. Checking before the the addition for an overflow works > too, updated patch attached. > > Janne > > ---8<--- > Fixes infinite or long taking loop in frame num gap code in > the fuzzed sample bipbop234.ts_s223302. > > CC: libav-sta...@libav.org > --- > libavcodec/h264_ps.c | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c > index 810f69f..7490600 100644 > --- a/libavcodec/h264_ps.c > +++ b/libavcodec/h264_ps.c > @@ -37,6 +37,9 @@ > //#undef NDEBUG > #include <assert.h> > > +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) > +#define MIN_LOG2_MAX_FRAME_NUM 4 > + > static const AVRational pixel_aspect[17]={ > {0, 1}, > {1, 1}, > @@ -301,7 +304,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ > MpegEncContext * const s = &h->s; > int profile_idc, level_idc, constraint_set_flags = 0; > unsigned int sps_id; > - int i; > + int i, log2_max_frame_num_minus4; > SPS *sps; > > profile_idc= get_bits(&s->gb, 8); > @@ -348,7 +351,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ > sps->bit_depth_chroma = 8; > } > > - sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; > + log2_max_frame_num_minus4 = get_ue_golomb(&s->gb); > + if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 || > + log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) { > + av_log(h->s.avctx, AV_LOG_ERROR, > + "log2_max_frame_num_minus4 out of range (0-12): %d\n", > + log2_max_frame_num_minus4); > + return AVERROR_INVALIDDATA; > + } > + sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4; > + > sps->poc_type= get_ue_golomb_31(&s->gb); > > if(sps->poc_type == 0){ //FIXME #define
ping Janne _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel